
Exploring 
New Frontiers 
of Theoretical 
Informatics 



Edited by 

Jean-Jacques Levy 
Ernst W. Mayr 
John C. Mitchell 




KLUWER 

ACADEMIC 

PUBLISHERS 




EXPLORING NEW FRONTIERS 
OF THEORETICAL INFORMATICS 




IFIP - The International Federation for Information Processing 



IFIP was founded in 1960 under the auspices of UNESCO, following the First World Computer 
Congress held in Paris the previous year. An umbrella organization for societies working in 
information processing, IFIP’s aim is two-fold: to support information processing within its 
member countries and to encourage technology transfer to developing nations. As its mission 
statement clearly states, 

IFIP’s mission is to be the leading, truly international, apolitical organization 
which encourages and assists in the development, exploitation and application 
of information technology for the benefit of all people. 

IFIP is a non-profit making organization, run almost solely by 2500 volunteers. It operates 
through a number of technical committees, which organize events and publications. IFIP's 
events range from an international congress to local seminars, but the most important are: 

• The IFIP World Computer Congress, held every second year; 

• Open conferences; 

• Working conferences. 

The flagship event is the IFIP World Computer Congress, at which both invited and contributed 
papers are presented. Contributed papers are rigorously refereed and the rejection rate is high. 

As with the Congress, participation in the open conferences is open to all and papers may be 
invited or submitted. Again, submitted papers are stringently refereed. 

The working conferences are structured differently. They are usually run by a working group and 
attendance is small and by invitation only. Their purpose is to create an atmosphere conducive 
to innovation and development. Refereeing is less rigorous and papers are subjected to 
extensive group discussion. 

Publications arising from IFIP events vary. The papers presented at the IFIP World Computer 
Congress and at open conferences are published as conference proceedings, while the results of 
the working conferences are often published as collections of selected and edited papers. 

Any national society whose primary activity is in information may apply to become a full 
member of IFIP, although full membership is restricted to one society per country. Full 
members are entitled to vote at the annual General Assembly, National societies preferring a 
less committed involvement may apply for associate or corresponding membership. Associate 
members enjoy the same benefits as full members, but without voting rights. Corresponding 
members are not represented in IFIP bodies. Affiliated membership is open to non-national 
societies, and individual and honorary membership schemes are also offered. 




EXPLORING NEW FRONTIERS OF 
THEORETICAL INFORMATICS 



IFIP 18th World Computer Congress 
TCI 3rd International Conference on 
Theoretical Computer Science (TCS2004) 
22-27 August 2004 
Toulouse, France 



Edited by 

Jean-Jacques Levy 

INRIA, France 

Ernst W. Mayr 

Technische Universitat Munchen, Germany 

John C. Mitchell 

Stanford University, USA 



KLUWER ACADEMIC PUBLISHERS 

NEW YORK, BOSTON, DORDRECHT, LONDON, MOSCOW 



eBook ISBN: 1-4020-8141-3 

Print ISBN: 1-4020-8140-5 



©2004 Springer Science + Business Media, Inc. 



Print ©2004 by International Federation for Information Processing. 
Boston 

All rights reserved 



No part of this eBook may be reproduced or transmitted in any form or by any means, electronic, 
mechanical, recording, or otherwise, without written consent from the Publisher 



Created in the United States of America 



Visit Springer's eBookstore at: 

and the Springer Global Website Online at: 



http://www.ebooks.kluweronline.com 

http://www.springeronline.com 



CONTENTS 



Preface xi 

Program Committee xiii 

Invited talks 

The tPI (tRNA Pairing Index), a Mathematical Measure of 
Repetition in a (Biological) Sequence 

Gaston Gonnet 1 

Stability of Approximation in Discrete Optimization 

Jura j Hromkovid 3 

Towards a Broader Theory of Mobile Processes 

Robin Milner 19 

A Decidable Analysis of Security Protocols 

Michael Rusinowitch 21 

Track (1) on Algorithms, Complexity, and 
Models of Computation 

Looking Inside AES and BES 

Ilia Toli, Alberto Zanoni 23 

Remove Key Escrow from The Identity-Based Encryption System 
Zhaohui Cheng, Richard Comley, Luminita Vasin 37 




vi 

A Randomised Algorithm for Checking the Normality of 
Cryptographic Boolean Functions 

An Braeken, Christopher Wolf, Bart Preneel 51 

Reversible Circuit Realizations of Boolean Functions 

Alex Brodsky 67 

Resource Bounded Immunity and Simplicity 

Toshio Suzuki, Tomoyuki Yamakami 81 

Degree Bounds on Polynomials and Relativization Theory 

Holger Spakowski, Rahul Tripathi 97 

The Firing Squad Synchronization Problem with Many 
Generals For One-Dimensional CA 

Hubert Schmid, Thomas Worsch Ill 

A Matrix q- Analogue of the Parikh Map 

Omer Egecioglu, Oscar Ibarra 125 

The Inherent Queuing Delay of Parallel Packet Switches 

Hcigit Attiya, David Hay 139 

Efficient Protocols for Computing the Optimal Swap Edges 
of a Shortest Path Tree 

Paola Flocchini, Antonio Mesa Enriques, Linda Pagli, 

Giuseppe Prencipe, Nicola San toro 153 

Truthful Mechanisms for Generalized Utilitarian Problems 
Giovanna Melicleo, Paolo Penna, Guido Proietti, 

Roger Wattenhofer, Peter Widmayer 167 

The Driving Philosophers 

Sebastien Baehni, Roberto Baldoni, Rachicl Guerraoui, 

Bastian Pochon 181 

Engineering an External Memory Minimum Spanning 
Tree Algorithm 

Roman Dementiev, Peter Sanders, Dominik Schultes, JopSibeyn 195 




vii 

Scheduling with Release Times and Deadlines on a Minimum 
Number of Machines 

MarkCieliebak, Thomas Erl ebach, Fabian Hennecke, 

Birgitta Weber, Peter Widmayer 209 

Approximation Algorithms for Mixed Fractional Packing and 
Covering Problems 

Klaus Jansen 223 

On Weighted Rectangle Packing with Large Resources 

Aleksei V. Fishkin, Olga Gerber, Klaus Jansen 237 

An 0(nlog 2 ri) Algorithm for the Optimal Sink Location Problem 

in Dynamic Tree Networks 

Satoko Mamada, Takeaki Uno, Kazuhisa Makino, 

Satoru Fujishige 251 

Efficient Algorithms for Handling Molecular Weighted Sequences 
Costas S. Iliopoulos, Christos Makris, Yannis Panagis, 

Katerina Perdikuri, Evangelos Theodoridis, Athanasios Tsakalidis 265 

Imperfectness of Data for STS-Based Physical Mapping 

Hiro Ito, Kazuo Iwama, Takeyuki Tamura 279 

Solving Packing Problem with Weaker Block Solvers 

Hu Zhang 293 

Adaptive Sorting with AVL Trees 

AtnrA. Elmasry 307 

Precise Analysis of Jt-Calculus in Cubic Time 

Livio Colussi, Gilberto File, A. Griggio 317 

Track (2) on Logic, Semantics, 

Specification, and Verification 

Prototyping Proof Carrying Code 

Martin Wildmoser, Tobias Nipkow, Gerwin Klein, Sebastian Nanz 333 



Contract Oriented Development of Component Software 
Zhiming Liu, He Jifeng, Xiaoshan Li 



349 




viii 

New Insights on Architectural Connectors 

Roberto Bruni, Jose LuizFiadeiro, Ivan Lanese, Antonia Lopes, 

UgoMontanari 367 

On Complexity of Model-Checking for the TQL Logic 

Iovka Boneva, Jean-Marc Talbot 381 

A Generic Framework for Checking Semantic Equivalences 

between Pushdown Automata and Finite-State Automata 

Antonin Kudera, Richard Mayr 395 

Tailoring Recursion to Characterize Non-Deterministic 

Complexity Classes over Arbitrary Structures 

Olivier Bournez, Felipe Clicker, Paulin Jacobede Naurois, 



Jean-Yves Marion 409 

A Calculus with Lazy Module Operators 

Davide Ancona, Sonia Fagorzi, Elena Zucca 423 

Dynamic Typing with Dependent Types 

Xinming Ou, Gang Tan, Yitzhak Mandelbaum, David Walker 437 

Subtyping-Inheritance Conflicts: The Mobile Mixin Case 

Lorenzo Bettini, Viviana Bono, Betti Venneri 451 

Asymptotic Behaviors of Type-2 Algorithms and Induced 
Baire Topologies 

Chung-ChihLi 465 

Effective Chemistry for Synchrony and Asynchrony 

Deepak Garg, Akash Lai, Sanjiva Prasad 479 

Controller Synthesis for Probabilistic Systems 
Christel Baier, Marcus Groesser, Martin Leucker, 

BenediktBollig, Frank Ciesinski 493 

Highly Undecidable Questions for Process Algebras 

Petr Jandar, Jifi Srba 507 




ix 

New-HOPLA: A Higher-order Process Language with 
Name Generation 

Glynn Winskel, Francesco Zappa Nardelli 521 

Behavioural Equivalences for Dynamic Web Data 

Sergio Majfeis, Philippa Gardner 535 

Behavioural Theory for Mobile Ambients 

Massimo Metro, Francesco Zappa Nardelli 549 

Nested Commits for Mobile Calculi: Extending Join 

Roberto Bruni, Herndn C. Melgratti, Ugo Montanari 563 

Dynamic and Local Typing for Mobile Ambients 
Mario Coppo, Mariangiola Dezani-Ciancaglini, 

Elio Giovannetti, Rosario Pugliese 577 

PolyA: True Type Polymorphism for Mobile Ambients 

Torben Amtoft, Henning Makholm, J. B. Wells 591 

Recovering Resources in the Jt-calculus 

David Teller 605 

Ensuring Termination by Typability 

Yuxin Deng, Davide Sangiorgi 619 

The Simply-typed Pure Pattern Type System E nsures 
Strong Normalization 

Benjamin Wack 633 

Termination in Modal Kleene Algebra 

Jules Desharnciis, Bernhard W. MoIIer, Georg Struth 647 

Regular Tree Language Recognition with Static Information 

Alcan Frisch 661 



Author Index 



,675 




PREFACE 



IFIP TCS 2004 is the third international conference organized by IFIP 
TCI, whose activities cover the entire field of theoretical computer sci- 
ence. The major topics of the conference were chosen reflecting the cur- 
rent activities in theoretical computer science forming the two tracks: 



Track (1) on Algorithms, Complexity, and Models of Computation, 
Track (2) on Logic, Semantics, Specification, and Verification. 



The program of IFIP TCS 2004 included the presentations of twenty- 
two contributed papers in Track (1) and twenty-four contributed papers 
in Track (2). The Program Committees selected them from sixty-five 
submissions to Track (1) and eighty-two submissions to Track (2). 

The four plenary invited speakers were chosen by the Steering Com- 
mittee, the Chair and the PC Co-Chairs. 

This volume constitutes the record of the technical program, consist- 
ing of the contributed papers and the invited talks. We had the pleasure 
of chairing the conference and the program committees of the third IFIP 
International Conference on Theoretical Computer Science. We are ex- 
tremely grateful to Jean-Claude Laprie and his staff, who helped us in 
preparing and announcing the call for papers, the program, and the web 
pages, and in putting together the proceedings. 

We would l ik e to express our thanks to the other members of the 
Program Committees, who are listed below, for their help in reviewing 
all submissions and for selecting the papers. 



Jean-Jacques Levy 
Chair 
Ernst W. Mayr 
John C. Mitchell 
Co-Chairs 
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THE TPI (TRNA PAIRING INDEX), 
A MATHEMATICAL MEASURE OF 
REPETITION IN A (BIOLOGICAL) 
SEQUENCE 

Gaston H. Gonnet 

Dept, of Computer Science, ETH Zurich 
Swiss Federal Institute of Technology 
ETH Zentrum RZ F2, CH-8092 Zurich 



DNA sequences contain, among other information, the encoding of amino 
acids for proteins. Coding for the amino acids is redundant, that is most amino 
acids are coded by more than one codon (base-triplet). Usage of different 
codons coding for the same amino acids is called codon bias. Codon bias 
can be easily observed in most genomes, i.e. the probabilities of the codons 
is not uniform, quite skewed very often. The function of codon bias is still 
unknown, although error correction, DNA stability, speed of translation are 
usually quoted as possible reasons for it. 

Different codons are translated to amino acids by different tRNA molecules. 
Depending on the species, codons are mapped to tRNA molecules, one-to-one 
or many-to-one, and tRNA molecules map to amino acids, again one-to-one or 
many-to-one. 

One of the aspects of codon usage which is suspected of affecting the trans- 
lation efficiency is whether tRNA molecules (or codons) are reused more or less 
frequently. To study this effect we have to design an index that will measure 
how much reuse of a particular tRNA (or codon) there is compared to random 
distribution. This is called the tPI. The tPI must be independent of particular 
(skewed) frequency distributions. In the end, the tPI is a probabilistic measure 
over a sequence of symbols from a finite alphabet. 

We describe the formulation of the tPI which has the desirable properties. It 
is relatively straightforward to find a recursion formula to compute its values. 
Less straightforward is to compute the moments of its distribution, and even 
more complicated is to compute it efficiently. It should be noted that this is 
not purely a theoretical question, biologists want to compute the tPI of most 
sequences, so an efficient algorithm is required. 

To make the computation more effective, we transformed the recursion for- 
mulas to have a desirable property that makes its computation require less 
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intermediate storage and hence tractable. tPI indices of entire genomes have 
been computed. 




STABILITY OF APPROXIMATION IN 
DISCRETE OPTIMIZATION 



Juraj Hromkovic 

Dept, of Computer Science, ETH Zurich 
Swiss Federal Institute of Technology 
ETH Zentrum RZ F2, CH-8092 Zurich 
juraj. hromkovic@inf.ethz.ch 



Abstract 

One can try to parametrize the set of the instances of an optimization prob- 
lem and look for in polynomial time achievable approximation ratio with respect 
to this parametrization. When the approximation ratio grows with the parame- 
ter, but is independent of the size of the instances, then we speak about stable 
approximation algorithms. An interesting point is that there exist stable approx- 
imation algorithms for problems like TSP that is not approximable within any 
polynomial approximation ratio in polynomial time (assuming P is not equal 
to NP). The investigation of the stability of approximation overcomes in this 
way the troubles with measuring the complexity and approximation ratio in the 
worst-case manner, because it may success in partitioning of the set of all input 
instances of a hard problem into infinite many classes with respect to the hardest 
of the particular inputs. We believe that approaches like this will become the 
core of the algorithmics, because they provide a deeper insight in the hardness 
of specific problems and in many application we are not interested in the worst- 
case problem hardness, but in the hardness of forthcoming problem instances. 



1. Introduction 

Immediately after introducing NP-hardness (completeness) [Co71] as a con- 
cept for proving intractability of computing problems [Ka72], the following 
question has been posed: If an optimization problem does not admit an effi- 
ciently computable optimal solution, is there a possibility to efficiently com- 
pute at least an approximation of the optimal solution? Several researchers 
[Jo74, Lo75, Chr76, IK75] provided already in the middle of the seventies a 
positive answer for some optimization problems. It may seem to be a fasci- 
nating effect if one jumps from the exponential complexity (a huge inevitable 
amount of physical work) to the polynomial complexity (tractable amount of 
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physical work) due to a small change in the requirement — instead of an exact 
optimal solution one forces a solution whose quality differs from the qual- 
ity of an optimal solution at most by £ • 100 % for some £. This effect is 
very strong, especially, if one considers problems for which this approxima- 
tion concept works for any small e (see the concept of approximation schemes 
in [K75, MPS98, Pa94, BC93, Va03, Hr03]). 

There is also another possibility to jump from NP to P. Namely, to consider 
the subset of inputs with a special, nice property instead of the whole set of 
inputs for which the problem is well-defined. A nice example is the Travelling 
Salesman Problem (TSP). TSP is not only NP-hard, but also the search of an 
approximation solution for TSP is NP-hard for every e. But if one considers 
TSP for inputs satisfying the triangle inequality ( the so-called A-TSP), one can 
even design an approximation algorithm [Chr76] with the approximation ratio 
£ ~ The situation is still more interesting, if one considers the Euclidean 
TSP, where the distances between the nodes correspond to the distances in the 
Euclidean metrics. The Euclidean TSP is NP-hard [Pa77], but for every small 
e > 0 one can design an e-approximation algorithm [Ar96, Ar97, Mi96] with 
an almost linear time complexity. 

The fascinating observations of huge quantitive changes mentioned above 
lead us to our proposal to consider the “stability” of approximation algorithms. 
Let us consider the following scenario. One has an optimization problem P for 
two sets of inputs L\ and L 2 , L\ C L 2 . For L\ there exists an polynomial- 
time ^approximation algorithm A, but for L 2 there is no polynomial-time 5- 
approximation algorithm for any 6 > 0 (if NP is not equal to P). We pose the 
following question: Is the algorithm A really useful for inputs from L 1 only? 
Let us consider a metrics M in L 2 determining the distance between any two 
inputs in L 2 . Now, one can consider an input x G L% — L \ , for which there 
exists an y € L\ such that di stance m(x, y) < k for some positive real k. One 
can look for how “good” the algorithm A is for the input x € L 2 — L\. If for 
every k > 0 and every x with the distance at most k to L\, A computes an 5 St jt 
approximation of an optimal solution for x ( 6 e ^ is considered to be a constant 
depending on k and £ only), then one can say that A is “(approximation) stable” 
according to the metrics M. 

The idea of this concept is similar to that of the stability of numerical algo- 
rithms. But instead of observing the size of the change of the output value ac- 
cording to a small change of the input value, we look for the size of the change 
of the approximation ratio according to a small change in the specification 
(some parameters, characteristics) of the set of problem instances considered. 
If the exchange of the approximation ratio is small for every small change in 
the specification of the set of problem instances, then we have a stable algo- 
rithm. If a small change in the specification of the set of problem instances 
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causes an essential (depending on the size of the input instances) increase of 
the relative error, then the algorithm is unstable. 

The concept of stability enables us to show positive results extending the 
applicability of known approximation algorithms. As we shall see later, the 
concept also motivates to modify an unstable algorithm A in order to get a 
stable algorithm B that achieves the same approximation ratio on the original 
set of problem instances as A has, but B can also be successfully used outside 
of the original set of problem instances. This concept is useful because there 
are a lot of problems for which an additional assumption on the “parameters” 
of the problem instances leads to an essential decrease in the hardness of the 
problem. Such effects are the starting points for trying to partition the whole 
set of problem instances into a spectrum of classes according to polynomial- 
time approximability. 

As one can observe this approach is similar to the concept of parametrized 
complexity of Downey and Fellows [DF95, DF99] in trying to overcome the 
troubles caused by measuring complexity and approximation ratio in the worst- 
case manner. The main aim of both concepts is partitioning of the set of all 
instances of a hard problem into infinite many classes with respect to the hard- 
ness of particular instances. We believe that approaches like these will be the 
core of future algorithmics, because they provide a deeper insight in the nature 
of the hardness of specific problems and in many applications we are not inter- 
ested in the worst-case problem hardness, but in the hardness of forthcoming 
problem instances. 

2. Definition of the Stability of Approximation 
Algorithms 

We assume that the reader is familiar with the basic concepts and notions 
of algorithmics and complexity theory as presented in standard textbooks like 
[BC93, GJ79, Ho96, Pa94, We93, Hr04]. Next, we give a formal definition 
of the notion of an optimization problem. Let IN = {0, 1, 2, ...} be the set of 
nonnegative integers, and let H + be the set of positive reals. 

Definition 1 An optimization problem U is an 7-tuple U = (£/,Eo,L, 
Lj,M, cost, goal), where 

(i) E/ is an alphabet called input alphabet, 

( ii) Eo is an alphabet called output alphabet, 

(iii) L C E* is a language over E/ called the language of consistentinputs, 

(iv) Li CL is a language over E/ called the language of actual inputs, 

(v) AA is a function from 2 s o, L towhere, for every x € L, AA(x) is called 
the set of feasible solutions for the input x, 
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(vi) cost is a function, called cost function, that for every pair (u, X ), where 
u £ fal(x) for some x £ L, assigns a positive real number cost(u, x), 

(vii) goal £ {minimum, maximum} . 

For every x £ L, we define 

Outputu(x ) = {y £ M(x)\cost(y) = goal{cost(z)\z £ A4(x)}} 

as the set of optima! solutions, and Optjj{x)= COSt{y) for some y £ 

Outputu(x). 

Clearly, the meaning for E/, E o, fat, cost and goal is the usual one. L may 
be considered as a set of consistent inputs, i.e., the inputs for which the op- 
timization problem is consistently defined. L/ is the set of inputs considered 
and only these inputs are taken into account when one determines the com- 
plexity of the optimization problem U. This kind of definition is useful for 
considering the complexity of optimization problems parametrized according 
to their languages of actual inputs. In what follows Language(U) denotes 
the language Lj of actual inputs of U. 

Definition 2 Let U = (E/, Eo, L, Lj, M, cost, goal) be an optimization 
problem. We say that an algorithm A is a consistent algorithm for U if, for 
every input x G Li, A computes an output A{x) £ A4(x). We say that A 
solves U if, for every x £ Lj, A computes an output A(x) from Outputu{x). 
The time complexity of A is defined as the function 

TimeA(n ) = max{TimeA{x) | x £ Li n E"} 

from IN to IN, where TimeA(x) is the length of the computation of A on x. 



Definition 3 Let U = (E;, Eo, L, Lj,A4, cost, goal) be an optimization 
problem, and let A be a consistent algorithm for U. 

For every X £ Lj, the approximation ratio Ra(x) of Aon X is defined as 



Ra(x) = max 



( cost(A(x)) Optu(x) 1 
\ Optu(x) ' cost(A(x)) ] ’ 



For any n £ IN, we define the approximation ration of A as 



RA(n) = max{.ft,t(a:) | x £ Li ft (E/)"}. 



For any positive real 5, we say that A is an 6-approximation algorithm for U 
if Ra{x) < 6 for every x £ Lj. 

For every function / : IN — > 1R„ we say that A is a f (n)-approximation 

algorithm for U if RA( n ) < f{n) far every n £ IN. 
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In order to define the notion of stability of approximation algorithms we 
need to consider something like a distance between a language L and a word 
outside L. 

Definition 4 Let U — (£/, Eq, L, Li,M, cost, goal) and 1 7=(E /l E 0) L, 
L,M, cost, goal) be two optimization problems with Lj C L. A distance 
function for U according to Lj is any function : L —> IR + satisfying the 

property 

hi{x) = 0 for every x € Li. 

We define, for any r € 1R + , 

Ball r ,h{Li ) = {w e L | h{w) < r}. 

Let A be a consistent algorithm for U, and let A be an e-approximation al- 
gorithm for U for some e € 1R + . Let p be a positive real. We say that A is 
p-stable according to h if, for every real 0 < r < p, there exists a 8 r<£ £ 
IR + such that A is an 8 rfi -approximation algorithm for U r = (£/, Eo, L, 
Ball ri h(Li),M , cost, goal ). 1 

A is stable according to h if A is p-stable according toh for every p € IR + . 
We say that A is unstable according to h if A is not p-stable for any p > 0. 

For every positive integer r, and every function / r : IN — > 1R + we say that 

A is (r, f (n))-quasistable according to h if A is an f T (n)-approximation 
algorithm for U r = (£/, Eo. L, BallrjfiLj), M, cost, goal). 

One may see that the notion of stability can be useful for answering the 
question how broadly a given approximation algorithm is applicable . If one is 
interested in negative results then one can try to show that for any reasonable 
distance measure the considered algorithm cannot be extended to work for a 
much larger set of inputs than the original one. In this way one can search for 
some more exact boundaries between polynomial approximability and polyno- 
mial non-approximability. 

3. Examples 

We consider the well-known TSP problem that is in its general form very 
hard for approximation. But if one considers complete graphs in which the 
triangle inequality holds, then we have a 1.5 -approximation algorithm due to 
Christofides [Chr76|. The idea of this algorithm can be shortly described as 
follows. 



*Note, that S r ,t isaconstantdependingon r and£ only. 
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Christofides algorithm 



Input: A complete graph G = ( V, , E), and a cost function c: E 

1N + satisfying the triangle inequality. 

Step 1: Construct a minimal spanning tree rof G according toe. 

Step 2: S {u € V | degr(v) is odd}. 

Step 3: Compute a minimum-weight perfect matching M on S in 

G. 

Step 4: Create the multigraph G' = (V, E(T) U M) and construct 

an Eulerian tourw in G' . 

Step 5: Construct a Hamiltonian tour H of G by shortening u (i.e., 

by removing all repetitions of the occurrences of every ver- 
tex in lo in one run via w from the left to the right). 

Output: H. 



Since the triangle inequality holds and Step 5 is executed by repeatedly short- 
ening a path x, ui, u m , y by the edge {x, y} (because U\, ..., u m have al- 
ready occured before in the prefix of tv) the cost of H is at most the cost of to. 
Thus, the crucial point for the success of Christofides algorithm is the triangle 
inequality. A reasonable possibility to search for an extension of the appli- 
cation of this algorithm is to look for inputs that “almost” satisfy the triangle 
inequality. In what follows we do it in two different ways. 

Let A - TSP — (E/, Eq, L, Li, M, cost, minimum) be a representa- 
tion of the TSP with the triangle inequality. We may assume E/ = Eo = 
{0,1,#}, L contains codes of all weight functions for edges of complete 
graphs, and Lj contains codes of weight functions that satisfy the triangle 
inequality. Let, for every x € L, G x = ( V x ,E x ,weight x ) be the complete 
weighted graph coded by x. Obviously, the Christofides algorithm is consis- 
tent for (E /, E o, L,L,M, cost, minimum). 

We define for every x G L, 



dist(x) — 

{°, 



max 



max • 



weight({u,v}) 



weight({u,p}) + weight({p,v}) 



- 1 



u,v,p € V a 






For the simplicity we consider the size of x as the number of nodes of G x 
instead of |x|. 

We observe that dist(G, c) < r implies the so-called (1 +r)-relaxed triangle 
inequality 

c({u, v}) < (1 + r)[c({u, in}) + c({w, u})] 
for all three different vertices u,v,w € V (G). 
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Let, for every positive real number r, 

A-TSP r = (E /, Eo, L, Ball r< d u t(L&),M, cost , minimum). 

The next results show that the Christofides algorithm assures only a 
very weak approximation for instances of A-T SP r for any r £ IR + . First, we 
show a partially positive result and then we prove that it cannot be essentially 
improved. 

Lemma 5 For every positive real number r , Christofides algorithm is 

(r, O(n log2 ^ l+r ^^))-quasistable for dist. 

Proof. Let I — ( G,c ) £ Ball ri dut(Pcs) for an r € IR + . Let T/ be the 
minimal spanning tree constructed in Step 1 . Let u>i be the Eulerian tour con- 
structed in Step 4 and Hj = V\ , v% , t >3 , . . . , v n , v n+ 1 , where v n + 1 = V\ , be the 
Hamiltonian tour constructed by shortening ujj in Step 5. 

Clearly, 

W/ = Vi,Pi,V2,P2,V3,...,V n ,P ni V n+ i, 

where Pi is a path between Vi and tij+i for i = 1, 2, . . . , n. To exchange a path 
v, P. u of a length m, rn £ 1N + , for the edge {v, u} we proceed as follows. For 
any p,s,t € V ( G ), one can exchange the path p, s, t for the edge {p, t) by the 
cost increase bounded by the multiplicative constant (1 + r). This means that 
reducing the length m of a path to the length [m/2] increases the cost of the 
connection between u and v by at most (1 + r) times. After at most [log 2 m] 
such reduction steps one reduces the path v, P, u of length m to the path v, u, 
and 

cost(u,v) = c({v,u}) < (1 + 7’)f log2r ”l • cost(v,P,u). (1) 

Let Mi be the matching constructed in Step 3. Following the analysis of the 
Christofides algorithm (see Theorem 4.3.5.5 in [Hr03] for instance) we get 
from(l ) 

cost{Mi) < i • (1 + r)f‘ og2 • cost{H 0 pt), (2) 

and 

cost(Hi) < (1 + T-)r iog3 "lcost(u;/). (3) 

Thus, 

cost(Hi) < (1 + r)^ 082 "! cost(u}i) =(1 + r)^ og3 ^ [cost(Ti) + cost(Mj)\ 
< (1 + r)f log3 n l cost (H opt) + \(l + r)^ log3n l • cost(H 0p t)\ 

= (1 + r)r iog3 "l (l + i(l + r)r'° g a"l) • cost(Hopt) 

= O (n log3 « 1+r > 2 ) • cost(Ho P t)) ■ 
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Now we show that the result of Lemma 5 cannot be essentially improved. To 
show this, we construct an input for which the Christofides algorithm 
provides a very poor approximation. 

We construct a weighted complete graph from Ball T< fc a t{L&) as follows 
(Figure 1). We start with the path Po,pi, ■ ■ ■ ,p n for n = 2*. k 6 IN, where 
every edge {pj,Pt+l} has weight 1. Then we add edges {piiPi+ 2 } for i = 
0, 1, . . . , n—2 with weight 2- (1+r). Generally, for every rn e {l,...,log 2 n}, 
we define weight ({pi,Pi+ 2 m }) = 2 m • (1 + r) m for i = 0, . . . ,n — 2 m . For 
all other edges one can take maximal possible weights in such a way that the 
constructed input is in Ball ri dist(Li). 



4 (1+r) 2 4 (1+r) 2 4 • (1 + r) 2 




Figure 1. 



Let us have a look on the work of the Christofides algorithm on 
the input ( G , weight ). There is only one minimal spanning tree that cor- 
responds to the path containing all edges of weight 1 (Figure 1). Since ev- 
ery path contains exactly two vertices of odd degree, the Eulerian graph con- 
structed in Step 4 is the cycle D = Po,Pi,P 2 , • ■ • iPmPo with the n edges of 
weight 1 and the edge of the maximal weight n ■ (1 + r) log2 " — n 1+1 ° 82 ^ 1+r \ 
Since the Eulerian tour is a Hamiltonian tour (Figure 1), the output of the 
Christofides algorithm is unambiguously the cycle po,pi, ... ,p ri ,po 
with cost n -f n( 1 4- r) log2 n . The optimal tour for this input is Hopt — 



P0iP2)P4t • • • tP2»iP2(«+l)> • • • ,Pn>Pn-l,Pn-3, • • • ,P2i+l,P2i-l> • • • ,P3,PliP0- 
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This tour contains two edges {/?o, Pi } and {p n - 1 , J 3 „} of weight 1 and all n — 2 
edges of weight 2 • (1 + r). Thus, cost(Hopt) = 2 + 2 • (1 + r) • (n — 2) and 

cost{D) n + n • (1 + r) lo «» n ^ n i+iog 2 (i+r) n io ga (i+r) 

cost(Ho P t) " 2 + 2 • (1 + r) • (n - 2) “ 2n ■ (1 + r) " 2(1 + r) ' 

Thus, we have proved the following result. 

Lemma 6 For every r € 1R + , if the Christofides algorithm is (r, / r (n))- 
quasistable for dist, then 

/r(n)>n l0 ^ 1+r V(2-(l + r)). 

Corollary 7 77ie Christofides algorithm is unstable for dist. 

The key question is whether one can modify the Christofides algorithm to 
get an algorithm that is stable according to dist. In what follows, we give a 
positive answer to this question. 

As we have observed, the main problem is that shortening a path U\,U2,. 
u m + 1 to the edge ui,u m + 1 can lead to 

cost({ui,Um +1 }) = (1 + r) riog3ml • cost(ui,u 2 ,...,u m+ i). 

This can increase the cost of the constructed Hamiltonian path by the multi- 
plicative factor (l + r )P°g 2 «l in the comparison with the cost of the Eulerian 
tour. The rough idea, then, is to construct a Hamiltonian tour by shortening 
only short paths of the minimal spanning tree constructed in Step 1 of the al- 
gorithm. 

To realize this idea we shall prove that, for every tree T = ( V, E). the graph 
r> = (v,{{*,»}|i,i,ev, there is a path x, P. y in T of a length at most 3 }) 
contains a Hamiltonian tour H. This means that eveiy edge {it, u} of H has 
a corresponding unique path it, P Ui „, v in 7 ’ol'a length at most 3 . This is a 
positive development, but it still does not suffice for our purposes. The re- 
maining problem is that we need to estimate a good upper bound on the cost of 
the path P(H) = u \ , Pui,u 2 i u 2> Pu 2 ,u3 > 113, ... , u n _iP Un _ liUn , itn, P u ni ui 1 ttt 
(in 7 ) that corresponds to the Hamiltonian tour Ui, u 2 , . . . , u n , iti in T 3 . Note 
that in the naive 2 - approximation algorithm the resulting Hamiltonian tour can 
be viewed as a shortening of the Eulerian tour 2 with a cost at most twice of 
the cost of T. But, we do not know the frequency of the occurrences of par- 
ticular edges of T in P(H). It may happen that the most expensive edges of 
T occur more frequently in P(H) than the cheap edges. Observe also that 
cost(T 3 ) cannot be bounded by c • cost{T) for any constant c independent on 



2 t he Eulerian tour uses every edge of T exactly twice. 
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T, because T 3 may be even a complete graph for some trees T. Thus, we need 
the following technical lemma proving that T 3 contains a Hamiltonian tour H 
such that each edge of T occurs at most twice in P(H). 

Definition 8 Let T be a tree. For every edge {u,v} € E(T), let u, P UiV ,v 
be the unique simple path between u and v in T. 

Let k be a positive integer. Let U = Ui, U 2 , . . . , U rn be any simple path in 
T*. Then , we define the [/-path in T as 

MU) = ui 1 Pu lt u„ U 2l Puj,U3> • • • 1 %- 1> ^Um-OUm I U m- 

Lemma 9 Let T be a tree with n > 3 vertices, and let {P.9} be an edge of 
T. Then, T 3 contains a Hamiltonian path U = l>i, 1)2, . ■ ■ , V n , p — V\, V n ~ q, 
such that every edge ofE(T) occurs exactly twice in Pr{H), where H — U,p 
is a Hamiltonian tour in T 3 . 

Proof. We prove this assertion by induction on the number of vertices of T. 

(1) Let n = 3. The only tree of three vertices is 

T = ({U1,V2,V3},{{V1,V2},{V2,V 3 }}) 

and the corresponding T 3 is the complete graph of three vertices 

({V1,U2,V3},{{U1,U2},{U2,U3},{V1,V3}}). 

Thus, the only Hamiltonian tour in T 3 is i>i, U 2 , 113 , i>i. The claim of 
Lemma9 is true, since Pp(v 1 ,^ 21 ^ 31 ^ 4 ) = Vi,V 2 ,V 3 ,V 2 ,Vi. 

(2) Let n > 4 and assume that Lemma 9 is true for trees with fewer than n 
vertices. Let T = (V, E ) be a tree, |V] = n. Let {p, g} be an arbitrary 
edge of T. Consider the graph T' = (V,E— {{p, q}}) that consists of 
two trees T p and T q , where T v [T q ] is the component of T' containing 
the vertex p [ 9 ]. Obviously, |V(Tp)| < n - 1 and \ V(T q )\ < n - 1. Let 
p' and q', respectively, be a neighbor of p and q, if any, in T v and T q , 
respectively. Now, we fix some Hamiltonian paths U p and U q in T p and 
T 3 , respectively. To do it, we distinguish three possibilities according to 
the cardinalities of T p and T q . 

1 li\V(T p )\ = l, then set U p — p — p' . 

2 If iV^Tp)! = 2, then set U p = p,p'. 

3 If 3 < \V(T p )\ < n — 1, then we can apply the induction hypoth- 
esis. We set U p to be a Hamiltonian path from p to p' in T 3 such 
that P(U p ,p) contains every edge of T p exactly twice. 
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A Hamiltonian path U q in T 3 can be fixed in the same way as U p was 
fixed above (Figure 2). 

Now, consider the path Up, U q obtained by connecting U p and the re- 
verse of Uq by the edge {p 1 , q'}. Observe, that {p 1 , q 1 } G T 3 , because 
p' , p, q, q' is a path in T. Following Figure 2, it is obvious that U p , U R 
is a Hamiltonian path in T 3 , and that U p , U q ,p is a Hamiltonian tour in 




Figure 2. 

Observe (by the induction hypothesis or the trivial cases with | V{T p ) | < 
2) that Pp p (C/p, p') the Hamiltonian tour U p , p' in T 3 contains every edge 
of T p exactly twice. Thus, Pr p ( U p ) contains every edge, but the edge 
{p>P'} of T p exactly twice. The edge {P,p'} is contained exactly once 
in Pr p {U p ). Similarly, Pr q (U q ) contains every edge of T q twice, but 
the edge {</.<?'} once. Finally, Pr(U P ,U q R ,p) contains every edge of T 
exactly twice, because 

1 this is clear from the properties of U P and U R for every edge from 

^ — {{P,^}, {P,P'}, 

2 the edge {p 1 , q'} G T 3 connecting U p and U q (Figure 2) is realized 
by the path p',p, q, q' containing edges {p,p'}, {p, 9 }, and {< 7 , q 1 } 
of E, and 

3 the connection of U p , U R with p is realized directly by the edge 

{P,<?}- 

Sekanina’S Algorithm 

Input: A complete graph G = (V, E), and a cost function c : E -> 

IN+. 

Step 1: Construct a minimal spanning tree r of G according to c. 

Step 2: Construct T 3 . 
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Step 3 : Find a Hamiltonian tour H in T 3 such that Pr{H) contains 

every edge of T exactly twice. 

Output: H. 

Theorem 10 Sekanina'S algorithm is a polynomial-time 2-approxi- 
mation algorithm for A-TSP. 

Proof. Obviously, Step 1 and 2 of Sekanina s algorithm can be per- 
formed in time 0 (n 2 ). Using Lemma 9 one can implement Step 3 in time 
0 (n). Thus, the time complexity of Sekanina s algorithm is in 0 (n 2 ). 

Let Hopt be an optimal solution for an input instance (G, c ) ofA-TSP. We 
have costiT) < cost(Hopt)- The output H of Sekanina’S algorithm can 
be viewed as shortening the path Px{H) by removing repetitions of vertices in 
W). Since Pr(H) contains every edge of T exactly twice, 

cost(Pr(H )) = 2 ■ cost(T) < 2 • cost(Hopt)- ( 4 ) 

Since H is obtained from Pg(H) by exchanging simple subpaths by an edge, 
and c satisfies the triangle inequality, 

cost(H) < cost(Pr{H)). ( 5 ) 

Combining ( 4 ) and (5) we obtain cost(H) < 2 • cost(Ho P t )■ 

Theorem 11 For every positive real number r, Sekanina’S algorithm 
is a polynomial-time 2(1 + r) 2 -approximation algorithm for A -TSP r - 

Proof. Since Sekanina’S algorithm always outputs a Hamiltonian tour, 
it is consistent for TSP. Obviously, the inequality ( 4 ) is also true for any input 
instance of the general TSP. 

Let ( G , c) be an input instance of A-TSP r . Since ( G , c) € Ball r gi s t{L^f), 

c({tii,ut}) < (1 + r) 2 • cost(v\,V2, vz,v 4 ), and 
c({ui,u 3 }) < (1 + r) ■ cost(ui,U 2 ,u 3 ) 

for all edges {uj, M3}, {iq, U4} 6 E(G) and every path Vi,V2, V3, 1)4 between 
V\ and 114 and every path ui, 112,113 between ui and n 3 . Since H is obtained 
from Pp{H) by exchanging a simple subpath of Pt(H) of length at most 3 , 

cost(H) < (1 + r) 2 • cost(Pr{H)). (6) 

Combining ( 4 ) and (6) we finally obtain 

cost(H) < 2 ■ (1 + r) 2 • cost(Pr(H)). 
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Corollary 12 Sekanina s algorithm is stable according to dist. 

Thus, we have reached our final aim to divide the set of all instances of TSP 
into an infinite spectrum in such a way that the sets of this spectrum have upper 
bounds on the polynomial-time approximability of their input instances. The 
above analysis of TSP shows that it is reasonable to measure the hardness of 
the TSP instances by the distance function dist, i.e., by the degree of violation 
of the triangle inequality. 

4. Conclusion and an Overview 

In the previous sections we have introduced the concept of stability of ap- 
proximations. Here we discuss the potential applicability and usefulness of 
this concept. 

Using this concept, one can establish positive results ofthe following types: 

1 An approximation algorithm or a PTAS can be successfully used for a 
larger set of inputs than the set usually considered. 

2 We are not able to successfully apply a given approximation algorithm 
A (a PTAS) for additional inputs, but one can simply modify A to get a 
new approximation algorithm (a new PTAS) working for a larger set of 
inputs than the set of inputs of A. 

3 To leant that an approximation algorithm is unstable for a distance mea- 
sure could lead to the development of completely new approximation 
algorithms that would be stable according to the considered distance 
measure. 

The following types of negative results may be achieved: 

4. The fact that an approximation algorithm is unstable according to all 
“reasonable" distance measures and so that its use is really restricted to 
the original input set. 

5. Let Q = (E/, Eo, L, Lj,M,cost , goal ) E NPO be well approximable. 
If, for a distance measure D and a constant r, one proves the nonex- 
istence of any polynomial-time approximation algorithm for Q r ,D — 
(E/, So. L, Ball ri o(Li),M, cost, goal), then this means that the prob- 
lem Q is “unstable” according to I). 

Thus, using the notion of stability one can search for a spectrum ofthe hard- 
ness of a problem according to the set of inputs. For instance, considering a 
hard problem like TSP or Clique Problem one could get an infinite sequence of 
input languages Lq, Li, L?, ••• given by some distance measure, where Rr(n) 
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is the best achievable approximation ratio for the language L r . Results of this 
kind can essentially contribute to the study of the nature of hardness of specific 
problems. 

The best results known forTSP instances satisfying the (3 — (l-Fr)-triangle 
inequality are the following ones: 

1 Andreae and Bandelt [AB95] showed that the here presented Sekanina 
Algorithm provides a (/3 2 -f /3) approximation ratio, which is the best 
known for 2 < (3 < 3; 

2 Bender and Chekuri [BCh99] designed a 4 • /^-approximation algorithm, 
which is the best for f3 > 3; 

3 Bockenhauer at. al. [BHK+02] have modified the Christofides Algo- 
rithm in order to get a | • /3 2 -approximation algorithm, which is the best 
for 1 < /? < 2. 

Moreover Bender and Chekuri [BCh99] proved a lower bound on the poly- 
nomial time approximability of this TSP subproblem which grows linearly 
with P . 

Further development of these ideas for different versions of the Hamiltonian 
path problem can be found by Forlizzi at. al. [FHP+04], where a few stable 
algorithms with respect to relaxed triangle inequality were designed. 

Another possibility is to consider the so-called a-strengthen triangle in- 
equality, where one requires 

c({u, u}) < a ■ [c({u, u>}) + c({tn, u})] 

for an a with 1 > a > 1/2, Observe that for a — 1/2 all edges have the same 
weight and so the problem becames trivial. Bockenhauer at. al. [BHK+00] 
designed three algorithms for TSP subproblems with instances satisfying the 
a-strengthen triangle inequality, which yield the approximation ratios starting 
with 1 for a = 1/2 and growing with a to 3/2 for a — 1. A very strong 
result has been proved by Bockenhauer and Seibert [BSOO] who established an 
explicit lower bound on polynomial time approximability of TSP with sharped 
triangle inequality for any a > 1/2 and this lower bounds grows with a. Thus, 
the TSP instances with weights from the interval [1, 1 + e] form an APX-hard 
problem for arbitrary small e > 0, The subproblems with sharped triangle 
inequality were also successfully attacked for the minimum 2-connected span- 
ning subgraph problems in [BBH + 02], 
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TOWARDS A BROADER THEORY OF 
MOBILE PROCESSES 



Robin Milner 
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Bigraphs are a topographical model of reactive systems that aim to unify 
existing theoretical approaches to mobile communicating agents. They combine 
two structures orthogonally: connectivity and locality. Thus, for example, they 
represent both ambients and pi-calculus; the topography deals not only with 
(even physical) locality but also with abstract notions such as the scope of a 
name. In my talk I shall explain how recent joint work with Jamey Leifer on 
relative pushouts enables transition systems to be derived for pi-calculus and 
ambients (in recent work by Ole Jensen), and I shall present condition-event 
Petri nets as an example. 




A DECIDABLE ANALYSIS OF SECURITY 
PROTOCOLS 



Michael Rusinowitch 
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Cryptographic protocols such as IKE, SET, TLS, Kerberos have been devel- 
oped to secure electronic transactions. However the design of such protocols 
often appears to be problematic even assuming that the cryptographic primi- 
tives are perfect, i.e. even assuming we cannot decrypt a message without the 
right key. An intruder may intercept messages, analyse them, modify them 
with low computing power and then carry out malevolent actions. This may 
lead to a variety of attacks such as well-known Man-in-the-Middle attacks. 

Even in this abstract model, the so-called Dolev-Yao model, protocol analysis 
is complex since the set of states to consider is huge or infinite. One should 
consider messages of any size, infinite number of sessions. The interleaving of 
parallel sessions generates a large search space. Also when we try to relax the 
perfect encryption hypothesis by taking into account some algebraic properties 
of operators then the task gets even more difficult. 

We will present translation and constraint solving techniques developed in 
our Cassis team for automating protocol analysis in Dolev-Yao model and some 
of its extensions. Protocol specifications are compiled and then passed on 
decision procedures for checking automatically whether they are exposed to 
flaws. 
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Abstract We analyze an algebraic representation of AS <S-128 as an embedding in 
BSS, due to Murphy and Robshaw. We present two systems of equa- 
tions S* and K* concerning encryption and key generation processes. 
After some simple but rather cumbersome substitutions, we should ob- 
tain two new systems C 1 and Ci. Ci has 16 very dense equations of 
degree up to 255 in each of its 16 variables. With a single pair (p,c), 
with p a cleartext and c its encryption, its roots give all possible keys 
that should encrypt p to C. C 2 may be defined using 1 1 or more pairs 
(p, c), and has 16 times as many equations in 176 variables. K* and 
most of S* is invariant for all key choices. 

Keywords: Advanced Encryption Standard, ASS, BSS, VSS, Cryptography, Grobner 
bases. Computer Algebra 



Introduction 

Rijndael is a block cipher, that encrypts blocks of 128, 192, and 256 
bits using symmetric keys of 128, 192, and 256 bits. It was designed 
with a particular attention to bit-level attacks, such as linear and dif- 
ferential cryptanalysis. Its resistance to such attacks is the dichotomy 
between operations in F = GF( 2 8 ) and GF(2). Since its proposal, many 
new bit-level attacks, such as impossible differential and truncated dif- 
ferential have been proposed. Most of them break with some efficiency 
reduced versions of Rijndael, but they are not much better than exhaus- 
tive key search in the general case. In practice they are mainly academic 
arguments rather than real world threats to the security of A£S. The 
interested reader can find an account and some references about these 
cryptological tools in [ODRJ. 
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Another, new, cryptological tool is the algebraic representation of the 
cipher [MR; FSW; CP]. In this case, an eavesdropper tries to write the 
whole set of operations and parameters of the cipher as a system of 
polynomial equations, which he/she next tries to solve. In general, the 
systems are enormous. Solving them using general purpose techniques, 
such as Grobner bases [CLO] is considered the wrong way to face the 
problem. However, the systems have sometimes an intrinsic structure, 
and the task may get easier. Not too much research is done in the topic: 
in particular, ASS seems to have been designed without considering 
algebraic cryptanalysis tools. 

In this paper we focus on the BSS algebraic approach, due to Murphy 
and Robshaw [MR]. We present some algebraic aspects of representing 
ASS as a system of polynomial equations following the BSS approach. 
By means of successive substitutions, we are able to eliminate all in- 
termediate variables, obtaining two systems S* and K* whose solution 
corresponds to code breaking. Actually, they are very complicated: their 
resolution is not trivial at all. 

1. The AES- 128 cipher 

The AES encryption algorithm is sketched below: 

■ Input a cleartext x. 

— Initialize State = x. 

— perform an operation AddRoundKey, in which Round- 
Key is xor-ed with the State. 

■ For nine (first to ninth) rounds: 

— perform a substitution operation called SubBytes on State, 
using an 5-box. 

— perform a permutation ShiftRows on State. 

— perform an operation MixColumns on State. 

— perform AddRoundKey. 

■ The tenth (last) round: 

— perform SubBytes. 

— perform ShiftRows. 

— perform AddRoundKey. 

■ Define the ciphertext y to be the State. 

All ASS operations are byte-oriented. The cleartext, ciphertext, and 
each output of intermediate steps of encryption and decryption algo- 
rithms are thought of as 4 x 4 matrices of bytes. The operations on each 
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Soo 


SOI 


S02 


S03 


Sll 


S12 


Sl3 


SlO 


S22 


S23 


S20 


S21 


S33 


S30 


S31 


«32 



Soo 


Sol 


S02 


«03 


S10 


sn 


S12 


«13 


S20 


S21 


S22 


S23 


S30 


S31 


S32 


S33 



Figure I. The ShiftRows operation on ASS 



byte are those of the finite field F = GF( 2 8 ). The elements are thought 
of as polynomials with coefficients in GF{ 2), mod (m(t)), the so-called 
Rijndael polynomial : 

TTl(t) — f 3 + f 4 + t 3 + t 4* 1 = lib . (1) 

They are represented as integers pairs in hexadecimal representation. 
If interpreted as eight-bit binary strings, we have the t— term exponents. 
The SubBytes operation substitutes each of the bytes x with S(x): 

S(x) = 63 + 8fx 127 + b5x 191 + Olx 223 + f4x 239 4- 
25x 247 4- f 9x 251 4- 09x 253 4- 05x 254 

Actually, S(x) is a permutation polynomial. 

The ShiftRows operation permutes bytes in each row, see Figure 1. 

The MixColumns operation performs a permutation of bytes in each 
column using a matrix in GL(F, 4), introduced later in Section 2.1. In 
practice, the columns are considered as polynomials in F[x], and multi- 
plied mod (x 4 4- 1) by the polynomial a(x) : 

a(x) = 03x 3 -F Olx 2 + Olx 4- 02. (2) 

Now consider the key schedule. The key used in every cipher round 
is successively obtained by the key of the precedent one. Here is the 
complete procedure. 

■ Input a key ho- Initialize Ho = ho. 

■ For each round r = 1, . . . , 10, permute (RotWord) the sub-vector 
formed by the last four elements (word) of H r _i, see Figure 2. 

■ Perform the Sub Word (<S-box on each byte) operation on the ob- 
tained result, and add the vector Rcon r = (t r_1 , 0,0,0). 

■ Define the other elements by means of bitwise xor operations in 
terms of the obtained result and other words from H r _i. 

■ Define the set of keys to be h to be {H r | r = 0, . . . , 10}. 
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| no | ai | g» | a3 | 



| 0 | | aa | «3 | ao~| 



Figure 2. The Rot Word operation on ACS 



Consider each vector as a four-words set, indicated with a second 
index ranging from 0 to 3 indicating single parts. For y € F 4 we put 
y r A (y) — SubWord(RotWord‘(y)) + Rcon r . The round for ACS 
key generation scheme is: 



IC A 



■ H r0 = ^(H r -1,3) 

( H r i = H r o + H, — ip 
Hr2 = H r i + H r _i,2 
. H r3 = H r2 -f- H r _i i3 



==> H r = (H r o,H rl ,H r 2,H r3 ) (3) 



2. The B£S cipher 

We start from the BCS cipher, in which .455 is embedded by a “nat- 
ural” mapping. BCS operations involve only computations in F. This 
permits to describe ACS using polynomial equation systems. Solving 
them means to find the key or an alias, and therefore to break the code. 

The state spaces of ACS and BCS are respectively A = F 16 and 
B = F 128 . The basic tool for embedding is the conjugation 0, taking for 
each value in F eight successive square powers. 



F 3 a i — > cj)(a ) — a — ( a 2 °,a 21 , 


...,a 27 ) G F 8 


(4) 


F n 9 a i — ^ 0(a) = a = (0(a o ), ... 


,0M) 6F 8 " 


(5) 


It is easily verified that (with 0 _1 =0) 






0( a -)- a') = 0(a) + 0(a') and 


0( a_1 ) = 0(a) -1 


(6) 



and we define B a = 0( A) C B as the subset of B corresponding to A. 

Let p, c € B be the plaintext and ciphertext, respectively; Wj, x* G B 
(0 < i < 9) the state vectors before and after the inversion phases, and 
hj G B the used keys. 

2.1 Correspondence 

The matrix La : F ~ GF( 2) 8 — > GF(2) 8 ~ F for the one-byte affine 
transformation in the 5-box phase can be represented by the polynomial 
function / ; F -> F: 

/(«) = J2 x * a2k 

k = 0 



( 7 ) 
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with 

Ao = t 2 + 1 
Ai = t 3 + 1 

A 2 = t 7 + t 6 + t 5 + t 4 + t 3 + 1 
A 3 = t 5 + t 2 + 1 



A 4 = t 7 + t 6 + t 5 + t 4 + t 2 
xl = t 7 + t 3 + t 4 + t 2 + i (8) 

A7 = t 7 + f 3 + t 2 + t + 1 



Working in B, Lg{a) = ^(L^a)) = (/(a) 2 °, . . . ,/(a) 27 ). The suc- 
cessive squares of / are needed, and the answer is given by a simple 
induction with basic step 

2 

^ 2 * +l (9) 



(/ W) 2 = ( E ha*) = E 2 = E w 

\k = 0 / fc=0 k = 0 

The resulting matrix, still indicated with Lb, is 



l b = [lij}i,j=o,...7 with 



hj — A 



2 ( 



(10) 



( 8 -i+j) mod 8 

The global transformation Line : F 128 — > F 128 is the block diagonal 
matrix with 16 blocks equal to Lb- 

The ASS <S-box constant ca — 63 = t 6 -I- 1 5 4 - 1 + 1 € F goes into: 

<f>(c A ) = (63, C2, 35, 66, D3, 2F, 39, 36) = (£ 6 + t 5 + t + 1, t 7 + t 6 + t, 

t h + t 4 + t 2 + 1, t 6 + t b + t 2 + t,t 7 + t 6 + t 4 + t + 1, (11) 

t 5 + t 3 + 1 2 + t + l,t 5 + 1 4 + 1 3 + l,t 5 + t 4 + t 2 + t) 

The corresponding BBS vector eg is obtained using sufficient copies 

C 0 = <j>{c A , . . . ,C A ) = (4 >(ca), ■ ■ ■ ,<P(ca)) [Cfiji = [ 0 (C/\)]t mo d 8 ( 12 ) 
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16 



The ASS ShiftRows may be represented by R A : F 16 — » F 16 . 



Ra = 



/ 


1 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


1 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 




0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


1 


0 


0 


0 


0 


0 




0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


1 




0 


0 


0 


0 


1 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 




0 


0 


0 


0 


0 


0 


0 


0 


0 


1 


0 


0 


0 


0 


0 


0 




0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


1 


0 




0 


0 


0 


1 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 




0 


0 


0 


0 


0 


0 


0 


0 


1 


0 


0 


0 


0 


0 


0 


0 




0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


1 


0 


0 




0 


0 


1 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 




0 


0 


0 


0 


0 


0 


0 


1 


0 


0 


0 


0 


0 


0 


0 


0 




0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


1 


0 


0 


0 




0 


1 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 




0 


0 


0 


0 


0 


0 


1 


0 


0 


0 


0 


0 


0 


0 


0 


0 


V 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


1 


0 


0 


0 


0 



(13) 
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“Expanding” each 1 in Ra with an identity matrix of order 8, Is, and 
each 0 with a zero (8 x 8) matrix, we have Rb ■ F 128 — > F 128 . 

The ASS MixColumns may be represented by C a : F 4 — ► F 4 : 



c A = 



t t + 1 1 1 \ 

1 t f + 1 1 

1 1 t t + 1 

f+1 1 1 t ) 



(14) 



The ASS transformation is given by the Mix^ : F 16 — ► F 16 block 
diagonal matrix having as blocks four copies of C a- In order to obtain 
the corresponding matrix we first need to compute Cg\ for k = 0, . . . , 7: 

t 2k (f + l) 2 * 1 1 

1 t 2 ' (f + l) 2 * 1 

1 1 f 2 * (t + l) 2 * 

(f + 1) 2 * 1 1 t 2k 

where 

t 2 ° = t = t 4 + t 3 + t + l t 2& = t 6 + t 3 + t 2 + 1 

t 2 ' = t 2 t 24 = t 6 + t 4 + t 3 + t 2 + t t 27 =t 7 + t 6 + t 5 + t 4 + t 3 + t 

i 22 - t 4 t 26 = t 7 + t 6 + t 5 + t 2 

k k ( 16 ) 

from which ( t + l) 2 = t 2 +1 are immediately obtained. 

In an appropriate basis, the resulting matrix Ms : F 128 — ► F 128 is a 
block diagonal one, with four consecutive copies of C ^ for all possible 
k. The change of basis is necessary because of the different positioning of 
value powers in 0’s image with respect to our needs. Indeed, if a G F 16 , 
then: 

<^>(a) (uo, •••) Uq t ®i> • • • i i • • • > a i5> • • • i ^ 15 ) (17) 

while to use the block diagonal representation, we would need: 





® (®0i ®15> ^0’ • • • ) ®15i • • • 1 j • • • > fljs) (18) 

This transformation is given by a permutation matrix Perms : F 128 — > 
F 128 . To represent it easily, suppose to divide it into (16 x 8) sub- 
matrices P hk , h = 0, ...,7 ,k = 0, . . . , 15. Each sub-matrix element 
(with i — 0, . . . , 15, j = 0, . . . , 7) is: 




if i = k and j = h 
else 



( 19 ) 
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Its inverse matrix Perm^ ^ is equally easy to describe: viewing it as 
composed of (8x16) sub-matrices P^ k with h = 0, . . . , 15, k = 0, . . . , 7, 
the generic element (with i = 0, . . . , 7, j — 0, . . . , 15) is defined 

exactly as [Phk]ij is. We have Mixij = Perm^ 1 ■ Mg- Perms. 

We can avoid c A slightly modifying the key generation scheme with 
respect to the original proposal. If b, (hfl)j e B are the state and key 
vectors for the generic round of BBS, we have: 

Roundfl(b, (hB)») = MixB(RB(Lin B (b -1 ) + c fl )) + (ha)j 

= Mg • (b" 1 ) + (Cb(cb) + (hB)i) (20) 
= Mg ■ (b -1 ) + (kg)i 

with 



Mg = MixB • Rb • Lina i Cg = Mixa ■ Rb > (ka)t = Cb(cb) + (hB)i 

( 21 ) 

For the last round, being Mixa absent, we have 

(ka)» = Rb(cb ) + (hfl)j (22) 

but in this particular case we have Cg(cg) = Rb(cb), and for what con- 
cerns this, we can avoid to distinguish the last round from the precedent 
ones. The change for key generation scheme is simply the addition of a 
constant vector to each obtained round key, and this will be the form of 
the system we will work with. 

Now we analyze the BBS translation for the key generation scheme. 

■ The ASS RotWord operation is represented by RWa : F 4 — ► F 4 . 



RW a = 



0 1 0 0 \ 

0 0 10 

0 0 0 1 

1 0 0 0 / 



(23) 



For the BBS version RW b : F 32 — ► F 32 , replace the l’s with Is, 
and 0’s with the (8x8) zero matrix. 

■ The <S-box is here applied only to a part of the whole vector, and 
therefore the matrix dimension changes. The resulting block diag- 
onal matrix LinB '• F 32 — > F 32 has four blocks equal to Lg. 

■ The constant Cb is given by just four copies of (j>(c A )' 

Cg = (j){c.Ai C A t h/4) h/l) (0(^-/l)i • • • i 0(b4)) » [C B ]» [^(hA)]* mod 8 

(24) 
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The constant vectors Rcorij — (t l 0,0,0) are mapped into: 

(Rcon fl )j = <£(Rconj) = (<^(< r_1 ),0, ... ,0) (25) 



We keep using the matrix notation, but here in a functional sense. 
We have here to use constants. If tp l B : F 32 -+ F 32 is the BSS i^-round 
mapping function for a conjugated word x: 

V?b(x) = LinB(RH / B(x)) _1 + c k B + (Rcon B )i (26) 

the generic ASS and BSS key round matrices are M K\ and MK' B : 



A key round is the computation of h, = MK B (h r 



3. Polynomial Systems 

We show how encryption and key generation can be represented by 
algebraic systems. All variables satisfy the F-belonging equation y 256 + 

y- o. 



3.1 Encryption 

Remembering that the last round differs slightly from the other ones, 
with M b = Rg ■ LinB, the system for codification is [MR] : 

' w 0 = p + k 0 

Xi = w i ~ 1 i = 0, ..., 9 , , 

Wj = MfiXj-i + kt i — 1, ..., 9 1 ’ 

. c = M B Xg + kio 

Let (j,m) indicate the (8 j + m)^ 1 component of all the vectors, for 
j = 0, . . . , 15 and m = 0, . . . , 7. If no 0-inversion occurs (true for the 
53% of encryptions and 85% of 128-bit keys), it is possible to expand 
the system as follows, for all possible values of j and m 



0 = Wq ,(j t m) T P(j,rn) + h 0,(j,m ) 

( 9 = T 1 i = 0, . . . , 9 

0 — T (AfgXt_x)(j im ) * 1, . . . , 9 

9 c (j,m) T (AfgXg)(j m ) + fcio, (j,m) 



( 29 ) 
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Let a,0 €. F indicate respectively Mb and Mg entries. Everything 
must be valid for B a , therefore we have (with m + 1 considered mod 8 ) 



s=i 



o — w 0 "E P(j,m) + ^0,(j,m) 

0 = + ki,(j,m) + 5Z a U,m),(j‘ ,m') 

0 = c {j,m ) + ^10 + 53 <m‘) 



* = !,•••> 9 



0 "El t — 0, . . . , 9 

0 = + x i,U,m+l) i — 0, ... ,9 

. 0 = W i.U,m) + W i,U,™+l) i = 0, . . . ,9 



(30) 

Let S(, t = 1, . . . , 6 be the equations in the line of the system 
for all values of i, j and m, and I( the ideal they generate. As we 
see, the system is very sparse, with S' = {Si, S 2 ,S-j} linear, and the 
other equations in S" = {S 4 ,S 5 ,S 6 } quadratic. If k = {kj, w = {w*}, 
x = {xi}, we have 



Line 


Number of equations 


Si 


16-8 = 


128 


s 2 


9 - 16-8 = 


1152 


s 3 


16-8 = 


128 


s 4 


10 - 16-8 = 


1280 


s 5 


10 • 16 • 8 = 


1280 


s 6 


10 - 16-8 = 


1280 


S 


Total = 


5248 



Block 


Number of variables 


k 


11 • 16-8 = 


1408 


X 


10-16-8 = 


1280 


w 


O 

»— * 
05 

00 

II 


1280 




Total = 


3968 



3.2 Key Generation 

There is an analogous system for key generation. The equations 
express all the /ii,(j, TO ) variables in term of the ones. The in- 
dex ranges for the equations are: i = j,j i = 0, ...,3 and 

m,m' = 0, ... ,7, and 7 are the Lin# matrix coefficients. 



K-b = 



' H i0 = ^(Hi-1,3) 
Ha = Hio + Hj-1,1 
H j2 = Ha + Hj-i.2 
, Hi3 = Hj2 + Hi-1,3 



(31) 



~ ^i-l,(12+((j+l) mod 4],m) 

, ^i,(j,m) ~ ( C B "E (R-COng )i)(J,m) + 53 7(j,m)(f,m') z i,(?,m') 

, h i,(4s-t-J,m ) ~ ^i,(4(s— 1)+J,m) "E ^i— l,(4s+J,m) S = 1,2,3 





32 



Let cRj = Cg + (Rconfl)i be the vector in each round, and its com- 
ponents 6i. Thanks to the third equivalence of (21), with t — 0, . . . , 15 
and the conjugation property, we have: 



K 



f 0 - mod 4), m) 

® = hi,Q,m) + $ T (J,m) ( J' ,m') z i,(]',m') 

(jW) 

h — ^j,(4«+5,m) + hi,(4(s-l)+},m) T — 1 ,(4s-4-J,m) s — 1)2,3 



0 — T (CB( c B))(t,m) T 

0 = z j.(J,m) + z «,(J,m+l) 

0 = 

(32) 



4. Resolution 

We are interested in obtaining the key out of the systems S and 
K, that is the original key h = <f>~ x (k*) — {ho, . . . , /ijs}, where k* — 
{^0,(0,m)> • • • > ^0,(15,m)}' 

In order to obtain relations among h (k) components we eliminate all 
other variables. We do this: 



■ modifying the way the systems are presented, 



■ doing some “hand” substitutions, and finally 



■ performing Grobner bases computations (more complicated substi- 
tutions, expansions and simplifications) to obtain the final systems. 

Note that, for each variable v € k, w, z, h, the conjugation property may 
be synthesized by the obvious following relations: 

v iAhm) = v i,(j,o) m — 0, ... ,7 (33) 

4.1 Encryption 

We rewrite S: first of all, we remove the imposed restriction about 
inversion, substituting £4 with an equation expressing the true definition 
of the general inversion in F. Then we use (33), to remove all the 
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variables with index m > 0, obtaining: 



0 = 




< + Pm 


+ k 2m 
+ *0,0,0) 




0 = 


om 

Km 


+ k lm 


^ X a U,m),U' 


2 m< 

' m ')‘ c i-i,0',o) 








0'.™') 




0 = 


2 m i i 2 m 

c 0.o) + ^xo, (j,o) 


+ X PUMAi' >m') x \u' $) 






+ 1/) 254 
+ w t, m 


O'.rn') 




0 = 


x ».0. o) 







(34) 

With the last equation we can remove all the aq^o), and, being each 
line a set of successive square powers, we keep only the ones with m = 0: 



f 0 - w o,(j,o) +P(j, o) + k o,(jfl) 




0 — w i,(j,0) + *»,0,0) + X a (jfl)tU' .«*' ) K-\ ,0'i0) 


i = 1 


,...,9 


0'.”»') 






= c 0,0) + *10,0,0) + X 






O'-"*') 




(35) 



We note that the /? coefficients do not depend on j and j', and the 
values are simply the coefficients of /. To simplify notations even more, 
we take, mod 255: 



u> = (wj) = 254- (2°,..., 2 7 ) = (254,253,251,247,239,223,191,127) , 
J = ( w () = (w 0 — 127, . . . , u>7 - 127) = (127,126,124,120,112,96,64,0) 



We can now avoid writing m index: 



S* 



0 — wqj + pj + koj 

0 = Wij + fey + £ OtfjflMwvffij, 
U',rn') 

0 = felOj + Cj +X A m' Wgj! 

m' 



* = 9 



(36) 



The system has 16+9-16+16 = 176 equations in 11-16+10-16 = 336 
variables. Obviously, it expresses nothing but a series of successive sub- 
stitutions, down to the last equation. Considering a block lexicographic 
(lex) order for which 

kio > w 9 > k 9 > ■ • • > w 0 > k 0 (37) 

we have a (not reduced) Grobner basis [CLO], and the substitutions may 
be considered as the complete reduction computation. The resulting set 
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of the last 16 equations, where all the w variables are no more present, 
is what we are looking for. If q‘J are the resulting polynomials, we have: 

kwj + cj + qf( ko, . . . , k 9 ,p) = 0 j = 0, . . . , 15 (38) 



4.2 Key Generation 

We get more informations analyzing K. We 



■ substitute z variables in the second line equations. 

■ use the conjugation property, 

■ note that C&(cb) has ca = t 6 + t 5 + t + 1 in the (j, 0) positions, 
and opportune powers in the other ones. This means that the 
equations on the fourth line of K, K 4 , may be reduced (the other 
ones being powers of it) to: 

hi,(j,o) ~b ^»,{j,o) T ca = 0 (39) 

■ for the above considerations, express everything directly in term 
of k variables. 

■ observe that Lin)) is a block diagonal matrix, and therefore just 
/ = j is “active” for each single equation, and what remains is 
nothing more than the set of coefficients of the / polynomial. 

We define in : N B n — ► in(n) = 12 + [(n + 1) mod 4] £ N. After 
the elaboration, always remembering the F-belonging equation, we have 
the following system (where i = 1, . . . , 10; s,j = 0, . . . , 3 and in the last 
version we omit m) 




0 ~ h Wfi) + 5 i,m + T(j 1 o)(j',m') /l ift,(in(j'),o) 

0 = \(4«+J,0) + *»,(4(s-l)+J,0) + /li-l,(4s+J,0) 

0 = Kdfl) + ( fc i,(j,0) + ca) 



f 0 = ( fc i,(j,o) + c A ) 4- <Si,(j,o) + 1^7(yo)(j,rn')( fc t -i,(in(j),o) + c A) Um ' 

l 0 = (^i,(4a+J,0) + C A ) + (fci,(4(s-l)+J,0) + c a) + (*t-l,(4«+J,0) + c a) 

\ 0 = kij 4- (c A 4- <^i,( j,o)) + (^t-i,in(j) + c a) • (^^m'(^i-i,in(j) 4" c a) m ') 

I to' 

{ 0 = ^i,4s+J + ^t,4(s-l)+J 4- &i-l,4s+j + C A 

Only k variables remain, 160 equations in 176 variables, and by succes- 
sive substitutions we can express all the ones with i > 0 as polynomials 
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in the “parameters” ko. The equations are a Grobner basis for several 
suitable lex orderings. We may obtain its complete reduction using, e.g. 

&10.15 > . • • > fcio.o > • • • > ^0,15 > . • • > fco,o (40) 

It is possible to work with h variables to obtain the equations following 
the original AES definition, and use (39) only at the end, in order to 
obtain the modified key generation scheme. In any case, the result is: 

kij = q!j(k o) * = !,•••. 10 , j = 0, . . . , 15 (41) 

In the final phase we merge the results. There are two possibilities, 
according to how many ( p , c) pairs (related by the same key) are known. 



One (p, c) pair : We eliminate all intermediate keys, putting together 
the systems S* and K * , refining (37) with (40). We obtain the 
entire substitution process once and for all, summarized as follows: 



C\ = { Qio,j( k o) + Cj +qf(k Qi q^(ko),... y q^j{k 0 ) } p) =0 

i 3=0, ...,15} 



(42) 



a system of 16 equations in 16 variables, having as roots the desired 
keys. 



More than 10 (p, c ) pairs : We use a copy of (38) for each (p, c) pair, 
to obtain a system in 176 variables with at least 176 equations, 
whose roots give all the keys. 



C 2 = { hoj + cf + qf (k 0 , . . . , k 9 ,p(">) = 0 
| n = l,...,d , j = 0 , .... 15 } 



(43) 



These systems are dense, it is very difficult to write them explicitly, 
and even more to solve them. Using more than 1 1 ( p , c) the C 2 system 
becomes overdetermined. 

5. Conclusions 

K* and most of S* are invariant for all choices of keys. Actually, the 
only varying parts of S* are the constant terms of the equations 1 to 16, 
and 161 to 176. Besides, for the equations 1 to 16, it can be chosen, too, 
if convenient. 

When extended, the joint size of K* and S* is of about 500 Kb. Each 
of them is a (not reduced) Grobner basis for several lex orderings, their 
union is not. Probably there exists some ordering for which the calculus 
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of a Grobner basis is easier. If we ever can obtain this with reasonable 
computational resources, then ASS can be declared broken. 

Succeeding to calculate the Hilbert series of K*US*, we should easily 
obtain the number n s of its solutions. We suspect that n s is invariant 
for all key and (p , c) choices. Furthermore, we expect that n s expresses 
the redundancy of the keyspace of ASS. That is, it tells us how many 
key choices will set up the same bijection between the cleartext space 
and ciphertext space. The number of such bijections is expected to be: 

*(ASS Keyspace) ^ 

Tls 



Probably a reasonably simple canonical representation of such bijec- 
tions can be found. In this case, if n a is big enough, probably the right 

(unique up to the isomorphism) key can be found by means of an ex- 
haustive search. 
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Abstract Key escrow is an inherent property in the current proposed Identity- 
Based Encryption (IBE) systems. However the key escrow is not always 
a good property for all applications. In this paper, we present a scheme 
which removes the key escrow from the IBE system proposed by Bonch 
and Franklin, while at the same time maintaining some important prop- 
erties of the IBE. We also present some cryptosystems based on our 
variant including a signature scheme and an authenticated key agree- 
ment. We finally show how to integrate our scheme into a hierarchial 
identity based public key encryption system. 

Keywords: Identity-based encryption, Key escrow. Pairing 

1 Introduction 

Since the landmark paper “New directions in cryptography” [7] was 
published in 1976, public key systems have been playing a fundamental 
role in the modern information security society. To address the security 
threat of the “man-in-the-middle” attack, complicated public key cer- 
tification systems have been developed for years. But the widespread 
deployment of public key systems depends heavily on the certification 
distribution systems which suffer from a scalability problem. 

In an attempt to simplify the certification management in a Public 
Key Center (PKC), in 1984 Shamir [13] first formulated the concept of 
Identity-Based Cryptography (IBC) in which a public key is the iden- 
tity (an arbitrary string) of an entity. Shamir presented an identity- 
based signature scheme in [13] and more signature schemes were pro- 
posed later. However constructing a practical Identity-Based Encryp- 
tion (IBE) scheme has been an open problem for about twenty years. 
Recently Boneh and Franklin [3] and Cocks [5] presented two different 
systems separately. Boneh-Franklin’s scheme has drawn much attention 
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because of its provable security and efficiency in practice. Our work is 
based on this scheme. 

In an IBE system there are four algorithms: (1) Setup generates 
the global system parameters and a master-key, (2) Extract uses the 
master-key to generate the private key corresponding to an arbitrary 
public key string ID € {0, 1}* which is the identity of an entity, (3) 
Encrypt encrypts messages using the public key ID, and (4) Decrypt 
decrypts messages using the corresponding private key. 

Because an entity’s identity (ID) is used as the public key directly, 
some interesting usages of an IBE can be naturally introduced. For ex- 
ample an ID can include the public key expiry time, or differentiate the 
entity’s credentials. On the other hand a special property is inherent in 
the proposed IBE scheme. In Shamir's scheme, the PKC uses the Ex- 
tract algorithm to generate a private key corresponding to the public 
ID. Hence the PKC knows all the entities’ private keys. This property 
is called “key escrow”. Because the proposed scheme [3] and [5] follow 
Shamir's scheme to setup systems, they also inherit the key escrow func- 
tion. However the key escrow function is not necessary for all types of 
applications and a cryptosystem with a key escrow property has some 
serious disadvantages. For example once the master-key is exposed, all 
the entities’ private keys are leaked in principle and all the prior com- 
munication information is under threat of exposure. Some mechanisms 
can be used to increase the security of the master-key, for example the 
threshold cryptography [8]. Gentry and Silverberg presented a method 
in a hierarchical ID-based scheme [9] to restrict the key escrow function 
in small areas. But the existence of a master-key is still a threat to an 
entity’s privacy. In [I] Al-Riyami and Paterson introduced the concept 
of "Certificateless Public Key Cryptography” (CL-PKC) and presented 
a scheme which removes the key escrow property successfully. In this pa- 
per, we introduce the “nickname” concept and present another variant 
of Boneh-Franklin's IBE system without the key escrow function. 

The rest of this paper is structured as follows. In section 2, we de- 
scribe the original Boneh-Franklin’s IBE scheme which is the basis of 
our variant, and we also briefly introduce the bilinear map which is the 
basic mathematical tool used in the scheme. In the next section, we 
present our scheme to show how to remove the key escrow function. A 
security analysis of our variant is presented in section 4. Section 5 and 6 
is a signature scheme and an authenticated key agreement based on our 
variant separately. We show how to integrate our scheme into a hierar- 
chial identity-based public key encryption system in section 7. Finally 
we make a comparison with the CL-PKC scheme. 
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2 Boneh -Franklin’s IBE Scheme 

Boneh-Franklin’s IBE scheme is the first efficient and security provable 
identity-based encryption scheme, which is based on a “bilinear map” 
(pairing) e : G\ X Gi — ► G 2 . Gj and G 2 are two cyclic groups of large 
prime order q. The bilinear map has the following properties: 

1 Bilinear: For all P, Q, R, S G Gi, e(P + Q, P-f- S) = e(P, R)e(P, S) 
e(Q,P)e(Q,S). 

2 Non-Degenerate: For a given point Q € Gi, e(Q,R) = 1g 2 for a ll 
R G Gi if and only if Q = Ogj • Ogj and 1g 2 are the identity of two 
groups respectively. In [3], the concrete IBE uses an ad mi ssible 
map with a distortion map to achieve the non-degeneracy. 

3 Computable: There is an efficient algorithm to compute e(P, Q) 
for any P, Q £ Gi . 

The modified Weil and Tate pairings [14] on elliptic curves can be used 
to build such bilinear maps. The security of Boneh-Fran kl in’s scheme is 
based on an assumption of the hardness of the "Bilinear Diffie-Hellman” 
(BDH) problem. 

Assumption 1 BDH Assumption. Let Q be a BDH parameter gen- 
erator with a security parameter l fc . Define 

Advg, A (k ) = Pr[A(q, Gi , G 2 , e, P, aP, bP, cP) = e(P,P) abc \ 

(q, Gi,G 2 ,e) «- Q(1 fc ),P Gi,o,6,c 4 ZJ]. 

For any randomized polynomial time (in k) algorithm A, theadvantage 
Advg iA (k) is negligible (We say that the problem is hard to solve). 

Boneh-Franklin’s IBE scheme also follows the four steps proposed by 
Shamir. Here is the description of the scheme in detail. 

Setup: Given a security parameter l k , the parameter generator follows 
the steps. 

1 generate two cyclic groups Gj and G 2 of prime order q and a 
bilinear pairing map e : Gi x Gi — + G 2 . Pick a random generator 

P G Gi- 

2 pick a random integer s G Z* and compute P^ = sP. 

3 pick four cryptographic hash functions Hi : {0,1}* — * G], II 2 : 
G 2 -> {0,l} n ,P 3 : {0,l} n x {0,1}” -> 1* and H 4 : {0,l} n -* 
{ 0 , 1 }” for some integer n > 0. 
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The message space is M = {0, l} n . The ciphertext space is C — G{ x 
{0 l l}"x{0,l}». The system parameters are params = (q, Gi , G 2 , e, n, P, 
Ppub, Hi, H 2 , H 3 , Hi). s is the master-key of the system. 

Extract: Given a string ID £ {0,1}*, params and the master-key, 
the algorithm computes Qw = Hi(ID) £ G*, dw — sQjd and returns 
dw- 

Encrypt: Given a plaintext m £ M, the ID of an entity and the public 
parameters params, follow the steps: 

1 pick a random a £ {0, l} n and compute r = Hs(a, m). 

2 compute Qw = H\(ID) and g = e(Pp U („ Qw)- 

3 set the ciphertext to C = ( rP , a ® Hi(g r ), m © //4(a)). 

Decrypt: Given a ciphertext ( U , V, W) £ C, a private key dm and the 
system parameters params, perform the following steps. 

1 compute g' = e(U,diD ) and a' = V © H^ig')- 

2 compute m' = W © H^(o') and r' — Hz(cr' ,m') 

3 If U 7^ r'P, reject the ciphertext, else return m' as the plaintext. 

The consistency of the scheme follows from the bilinearity of e. Boneh 
and Franklin proved that the scheme is semantically secure against the 
adaptive chosen ciphtertext attack (IND-CCA) [2] [31 in the random or- 
acle model [4], 

3 Our Variant of Boneh-Franklin’s IBE system 

Based on Boneh-Franklin’s scheme, we introduce another public and 
private key pair (Njd, t) into the scheme to remove the key escrow func- 
tion. The private key t, a random integer in Z*, is only owned by the 
entity with an identity ID (we use entity ID to refer to the entity with 
the identity ID in the remaining part of the paper). In our scheme the 
encryption and decryption operations not only depend on the public 
key ID (in fact Qw) and the private key dw, but also on the second 
public key Nw and the corresponding private key t. We name the pub- 
lic keys ( ID,Njd ) as (ID, Nickname) and the private keys (dw, t) as 
(PrKeyL, PrKeyR)- Because only entity ID knows PrKeyR, we can 
prove that the key escrow function in the PKC is removed. The effect 
of introducing (iV/£>,t) is discussed after the description of the scheme’s 
details. We can find that to publish a nickname is not a serious new 
burden for a PKC. For simplicity we name our system as V-IBE and 
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Boneh-Franklin's scheme as B-IBE in the following sections. 

Our scheme is specified by five algorithms: Setup, Extract, Pub- 
lish, Encrypt and Decrypt. 

Setup: As the one in Boneh-Fran kl in’s scheme. 

Extract: Identical to Extract in Boneh-Fran klin ’s scheme. 

Publish: Given the system parameters params, an entity selects a ran- 
dom t £ Z*, and computes Nip = (N\, N2) = (tP, tP vu b)- The entity 
can ask the PKC to publish this extra parameter IV / p or publish it by 
itself or via any directory service as a nickname. Note that this publish- 
ing operation has no security requirement. 

Encrypt: Given a plaintext m £ M, the identity ID, public parameters 
params and the nickname Njp = (Ni, N2) corresponding to ID, the 
following steps are performed. 

1 check that Ni,N% £ G* and that the equality e(Ni, P^) = e(N2, P) 
holds. If not, output J_ and terminate encryption. 

2 pick a random a £ {0, 1}” and compute r = H$(p,m). 

3 compute Qip = H\ (ID) and g = e(Ppub + NuQip)- 

4 set the ciphertext to C — {rP, a © H2(g T ),m © //4(a)). 

Decrypt: Given a ciphertext (U,V,W) £ C, dip , t and system param- 
eters params, follow the steps: 

1 compute g' = e(U, dip 4- tQip) and a' = V ® #2(0')- 

2 compute m! = W © H\(o') and r' = H${p' ,m'). 

3 If U ^ r'P, reject the ciphertext, else return m! as the plaintext. 
The consistency of the scheme can be verified by 

g' = e(U, dip + tQip) = e(rP, sQw + tQip) 

= e{sP , Q ID ) r e(tP , Qw) T = e(Ppu6 + N ly Q w Y = / 

Hence <r / in decryption equals a in encryption. Thus, applying decryp- 
tion on a ciphertext recovers the original message m. 

Based on the BDH and another assumption stated in the next section, 
we can prove that the variant is secure against the adaptive chosen ciph- 
tertext attack (IND-CCA) in the random oracle model. Moreover this 
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scheme achieves some special properties that make it different from the 
normal public key systems and the existing identity-based encryption 
schemes. 

CLAIM 1 No more key escrow. Without knowing the private key t 
(PrKeyR) of an entity, an adversary cannot decrypt a message en- 
crypted for the entity, even with the knowledge of the master-key 8. 

This claim follows from Theorem 1 in the following section. 

CLAIM 2 Partially identity-based. Without knowing djjy (PrKeyL) 
of an entity identified by the ID, an adversary cannot decrypt a mes- 
sage encrypted for the entity even if the adversary replaces the entity’s 
nickname Nid with its own choice. 

This claim follows from Theorem 2 in the following section. Because of 
this property, some special usages of the original IBE are still applica- 
ble in our scheme, e.g. an entity’s ID appending with expiry time or 
credentials. 

REMARK 1 Loosely binding nicknames. The extra public key pa- 
rameter Nid introduced in our scheme need not be bound strictly (by 
secure method) to the entity ID. N id can be distributed through an un- 
safe channel as the entity’s nickname. If Alice wants to send a message 
to Bob, but does not know Bob’s nickname, she can ask Bob directly 
or query the PKC or any directory service publishing Bob’s nickname. 
Because of Claim 2, the security of the communication cannot be com- 
promised by Eve who launches the man-in-the-middle attack and changes 
Bob’s nickname with her own choice except that Eve is the PKC. This 
characteristic differentiates our scheme from the normal certification- 
based public key systems. In [1], a simple way is presented to thwart 
the PKC to impersonate another entity in the man-in-the-middle attack. 
The basic idea is to bind entity A’ s identity ID a and nickname Na with 
A’s real public key Qa by re-defining Qa — H\(I D a\\N a) ■ If the PKC 
impersonates entity A, there will be two valid private keys for I Da with 
different nicknames which can only be generated by the PKC. 

REMARK 2 Forward security of the master key. Our scheme in- 
troduces an extra public and private key pair (Njp, t) and only the en tity 
ID knows the private key t. Hence even if the master key 8 of the PKC 
is leaked, the prior communications with destination to entity ID would 
not be exposed, but the following communication would become vulnerable 
to the man-in-the-micldle attack. 
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4 The V-IBE’s Security 

Before defining the security of the scheme, we elaborate two primitive 
foundations of the variant. 

Firstly we prove that based on the BDFI assumption, it is hard for 
the PKC to compute g' in decryption, even though it knows the master 
key s. To construct g' , the PKC needs to use the available information 

(s,P,U = rP,Qjo = aP,NjD = (tP,tPpub)) to compute e(U,djD + 
tQ w ) = e(rP, saP + taP ) = e(P, P) r °( i+< >. 

R 

LEMMA 1 Given (q, Gi , G 2 , e, s, P, aP, rP, tP), where a,r,t < — Z* and 

s is a fixed element in Z*, based on the BDH assumption, it is hard to 
compute e(P, P) r °( a+f ). 

Proof. The proof is straight forward. If an adversary A can solve the 
above problem, we can construct an adversary B using A as a subrou- 
tine to solve the BDH problem. Given a BDH challenge (P, aP, bP, cP ), 
B randomly selects an element s from Z* and passes ( s,P,aP,bP,cP ) as 
the challenge to A . Upon receiving the response R from A , B computes 
e(aP,bP)~ a and returns R • e(aP,bP)~ s as the response to the BDH 
challenge. If A wins the game with non-negligible advantage, so does 
B because if R = e(P, P) ab (*+ C ), B ’s response isi(P, P) ab < s+c h(aP, bP)~ a 
= e(P, P) abc . 

Secondly we show that if an adversary without the master key wants 
to compute g' = e(rP, Qw)^ s+t ^ in decryption, it needs to solve some 
hard problem. Without the check step, the scheme is obviously insecure. 
An adversary can randomly select j € Z* and set N\ = tP = — Ppub+jP 
(s + 1 ~ j mod q), so as to compute g' — e(U, QidY ■ But by applying 
the check step, the adversary needs to find N 2 = tsP = ( j — s)sP to 
pass the check step. If the adversary successfully finds N%, then it is 
able to compute s 2 P = N 2 — jsP. Given (Gi,q,P,sP) to compute s 2 P 
is a squaring-DH problem in group Gi, which is as hard as a normal 
DH problem because the order of Gj is known [12]. If an adversary 
A knows t and can compute g\ we can slightly modify A to solve the 
BDH problem. Given a BDH problem (P, sP, aP, rP) where s,a,r < — 
Z*, after finding N\ = tP, A computes R = e(P, P) aar e(tP, P) ra but 
outputs R ■ e(rP, aP) -t = e(P,P) 3ar . The output is just the solution 
to the BDH problem. Note that a legitimate party has t and saP to 
compute R. If A does not know t and j = 8 + t mod q, it seems hard to 
find such N\ and N 2 satisfying the check requirement and at the same 
time making the computation of g' easy. Based on this evaluation, we 
propose an assumption. 
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ft 

Assumption 2 Given (q,Gi,G 2 ,e,P,sP,aP), where s, a < — Z*, based 
on the BDH assumption, it is hard to find N\,N 2 £ G* satisfying 
i(N lt sP) = e( N 2 ,P) and at the same time making computation e(P,P) sar 
ft 

e(Ni, P) ra with rP < — Gi easy (here “easy” means existing a randomized 
polynomial time algorithm). (We refer to the assumption as a Bilinear 
EQuation (BEQ) assumption.) 

Now by defining two types of adversaries, which correspond to an 
adversary with and without the master-key respectively, we state the 
security analysis in the following two theorems. 

Definition: Type-I Attack 

An adversary with the master-key launches a Type-I attack by taking 
one or more of the following actions interacting with a challenger follow- 
ing from the IND-CCA notion. 

1 Query the nickname of any entity IDi. 

2 Publish a nickname for any entity IDi. 

3 Extract PrKeyL of any entity IDi. I n fact because the adversary 
has the master-key, it can compute PrKeyL of any entity. But 
we still assume that the adversary issues Extract query to get the 
PrKeyL from the challenger for simplicity. 

4 Extract PrKeyR of any entity IDi but I D c h . However querying 
PrKeyR of a nickname published by the adversary is prohibited 
because it is unreasonable to require that the challenger knows 
such value which implies that the challenger can solve the discrete 
logarithm problem. 

5 Be challenged on the chosen ID c h by providing two messages mo, m\ . 
Note that the nickname N c h of entity ID c h is not the one published 
by the adversary. Hence it means that although the adversary can 
replace N c h in some phase, it must be challenged on I D c fs orig- 
inal nickname. Following the IND-CCA notion, the challenger 
randomly chooses b G {0, 1} and provides the ciphertext of mb- 

6 Issue a decryption query { IDi,Ci ). The adversary is prohibited 
from making a deciyption query on the challenge ciphertext for 
the combination of identity ID c h and the original N c b- 

If the adversary with the master-key also changes the nickname N c i t of 
the entity ID c h on which it wants to be challenged, it knows both d c h and 
t c h ■ Hence the scheme cannot protect the information encrypted under 
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ID c h and the changed nickname. In traditional public key cryptosystems 
this attack is not prevented either. This is the reason for the rules in the 
challenge phase. In the IND-CCA model, an adversary can continue to 
ask queries after the challenge phase. The advantage of an adversary is 
defined as the amount by which the probability of guessing the correct 
b exceeds ^ (i.e. Advantage=max {Pr[Guessing the correct 6]-^,0}). 

THEOREM 1 If there exists a Type-I IND-CCA adversary A with non- 
negligible advantage t against V-IBE, then there exists an adversary 
B which can solve the BDHP with non-negligible advantage in the ran- 
dom oracle model. 

Definition: Type-II Attack 

An adversary without the master-key launching a Type-II attack can 
take one or more of the following actions when interacting with a chal- 
lenger. 

1 Query the nickname of any entity ID{. 

2 Publish a nickname for any entity I Di. 

3 Extract PrKeyL of any entity I Di except ID c h- 

4 Extract PrKeyR of any entity ID{. But the adversary should not 
query PrKeyR of a nickname published by itself. 

5 Be challenged on the chosen ID c h by providing two messages mo, m\. 
Note that there is no requirement on the nickname of ID C h- Hence 
the adversary can be challenged on an entity whose nickname 
is published by the adversary. The challenger randomly chooses 

b € {0, 1} and provides the ciphertext of m&. 

6 Issue a decryption query ( IDi,Ci ). The adversary is not allowed to 
query on the challenge ciphertext for the combination of identity 
ID c h and the nickname used in the challenge query. 

The adversary can query private PrKeyL of any entity IDi except ID c h 
and can publish a nickname for any entity. The advantage is defined 
similarly to the one for the Type-I adversary. 

THEOREM 2 If there exists an IND-CCA Type-II adversary ' A against 
V-IBE with advantage e, then there exits an adversary B which can solve 
the BEQ problem with non-negligible advantage in the random oracle 
model. 

The proofs of the above two theorems are essentially similar to the 
proofs of Theorem 1 and 2 in the CL-PKC [1], but with different as- 
sumptions (the authors proposed a general BDH assumption in [1]). 
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5 A Signature Scheme Based on Our Variant 

We describe a public key signature (PKS) scheme based on aprovably 
secure signature scheme in [10] and our variant. The PKS scheme can be 
specified by algorithms: Setup, Extract, Publish, Sign and Verify. 

Setup: Given a security parameter l fc , the parameter generator follows 
the steps. 

1 generate two cyclic groups Gi and G 2 of prime order q and a 
bilinear pairing map e : Gi X Gi -+ G 2 . Pick a random generator 

P G Gj. 

2 pick a random s G Z* and compute P pu i = sP. 

3 pick two cryptographic hash functions H\ : {0,1}* — + G{ and 
H 2 : {0, 1}* x G 2 -t Z*. 

The system parameters are params= (g, Gi,G2, e, n, P, P pu b, H\, 112) ■ s 
is the master-key of the system. 

Extract: Given a string ID G {0,1}*, params and the master-key, 
the algorithm computes Qjd = H\{ID) G G{, djjj = sQjq and returns 

dw 

Publish: Given the system parameter params and an entity ID, select 
a random t G Z*, and compute Njo = (Ni,Ni) = ( tP , tP pu ^). 

Sign: To sign a message m G M using the private key (dio,t) of entity 
ID, the following steps are performed. 

1 choose an arbitrary point P\ G G{ and pick a random integer 
k G Z*. 

2 compute r = e{kP\,P) and v = H{m,r). 

3 compute Qw = H\{ID ) and U — v(dw + tQio) + kP\. 

4 output as the signature (U,v). 

Verify: To verify a signature (U,v) of entity ID with nickname Njd — 
(Ni, N 2 ) on a message m G A4, follow the steps: 

1 check that N\,N^ G GJ and that theequality e(N\, P pu b) = e(N' 2 , P) 
holds. If not, output J_ and terminate verification. 

2 compute Q 10 — Hi(ID). 
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3 compute r' = e(U , P)e(Qio, ~Pjmb ~ Ni) v . 

4 accept the signature if and only if v = H(m, r'). 

The consistency of the scheme easily follows from 

r' = e{U,P)e{QiD,-Ppub-N,y 

~ e(vdjo + vtQio + kP\, P)e(vQto, — sP)e(vQio , —Njd) 

= e(vsQiD,P)e{vtQw , P)e(fcPi,f , )e(t;sQ/z), -P)e{vtQio, -P) 
= e(kP u P ) 

6 An Authenticated Key Agreement Protocol 

The following is a two-party key agreement protocol which extends 
Smart's protocol [15]. 

A->B: xP, Nfa = (7V[\ = ( aP , aP^) (1) 

B -* A : yP, N% = = (bP, bP^) (2) 

Upon the completion of message exchanges, A and B first check the 
exchanged nickname {Nf D and Nf D respectively). After that A com- 
putes K a = e{Qf n ,P pub + N?)* ■ e{dfp + aQf D ,yP), and B computes 
Kb = e(Q/0’ Ppub + N*) y e(df D + bQjp,xP) respectively. It is easy to 
see that the secret key K = K A = Kb is shared between A and B. 

Ka = i(Qfn,sP + bP)*e(aQf D + aQf D ,yP) 

= e(sQf D + bQf D ,xP)e{Qf D ,sP + aP) v 

= K b 

Although A and B can use H{K\\xyP) as the shared key, where H 
is a proper hash function to achieve forward security, Shim’s protocol 
and its descendant [6] are vulnerable to the man-in-the-middle attack 
launched by the PKC. The new variant still suffers from such attack 
if the PKC replaces the nicknames in the two messages with its own 
selections. However we can use the same method mentioned in Section 
3 to thwart such attacks. 

7 Hierarchical PKE 

In [9] Gentry and Silverberg introduced a totally collusion-resistant 
hierarchical ID-based infrastructure for encryption and signature. We 
integrate our scheme into this hierarchical system to eliminate all kinds 
of key escrow to any ancestor of an entity. In the system, every entity 
is located in one level of a hierarchical system. Except the root entity, 
every entity is identified by an ID-tuple which identifies every ancestor 
along the path to the root. The major steps of our scheme are identical 
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to the ones in [9]. 

Root Setup: Given a security parameter l k , the parameter generator 
follows the steps. 

1 generate two cyclic groups Gi, G 2 of prime order q and a bilinear 
pairing map e : Gi X Gi — > G 2 . Pick a random generator Pq E G\. 

2 pick a random integer so € Z* and compute Qq = SqPo. 

3 pick two cryptographic hash functions Hi : {0,1}* — > G* and 
H 2 : G 2 — ► {0, l} n for some integer n > 0. 

Low- lever Setup: Entity E t E Level t picks a random s t E Z*, which 
it keeps secret. 

Extraction: Let Et be an entity in Levelt with ID-tuple {ID \, . . . , ID t ), 
where (IDi , , . . , IDt) for 1 < i < t is the ID-tuple of Et ’s ancestor at 
Levelt . Follow the steps: 

1 compute P t = Hi(IDi\\ID 2 \\ . . . || ID t ) 6 Gi. 

2 set E t 's secret point S t = S t -\ + s t -iPt = ^=1 s i-iP%- 

3 set Qt = SiPo for 1 < i < t — 1. 

Publish: For ID t , select a random b t E Z* and compute the nickname 

N t = (NiNt) = (btPo,btQo)- 



Encryption: To encrypt m E M with the ID-tuple ,ID t ) 

and the corresponding nicknames TV; = (N{, NZ,) for 1 < i < t, take the 
following steps: 

1 for each 1 < i < t, check that N\,N^ E G* and that the equal- 
ity e(A/”|, <9o) = e(N 2 , Po) holds. If not output ± and terminate 
encryption. 

2 compute Pi — Hi(IDi\\ID 2 \\ . . . || IDi) e Gi for 1 < i < t. 

3 choose random r E Z*, and compute cyphertext 

C - (U 0 ,U 2) ... ,U U V) = (rPQ,rP 2) ■ ■ ■ ,rP t ,m® H 2 {g T )}, 
where g = e(Qa + N[,Pi) = e(soPo,Pi) ■ e(b t Po,P\). 

Decryption: To decrypt the ciphertext C — (Uo, U 2 ,... , Ut, V) E Ct 
for an entity in level t with the ID-tuple (IDi,ID 2 , . . . , ID t ), follow the 
steps: 

1 9 ' ^ = ^Po^oPi+btPx) = e(s 0 P 0 ,PiYe(btPo,Pi) r . 

2 compute m' = V © H 2 (g') as the plaintext. 
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8 Comparison with The CL-PKC 

In the above sections we have shown that all the cryptosystems sup- 
ported by the CL-PKC can be realized using our variant. In fact, the 
public key in the CL-PKC is essentially the same as the nickname in 
our scheme. Hence, our variant is an alternative implementation of the 
CL-PKC but based on a different hardness assumption. 

Our scheme is slightly slower than the CL-PKC, because our scheme 
needs an extra point addition operation. However the point addition is 
very fast compared to the pairing computation or the scalar operation. 
The following table compares the complexity of the two schemes and 
B-IBE (P for pairing computation, S for scalar operation and E for 
exponentiation). We ignore the hash operation and the point addition, 
because the numbers of hash operations in all schemes are equal and 
the point addition is a very lightweight computation compared to the 
pairing, scalar and exponentiation operations. 



Scheme 


Encryption 


Decryption 


Key Publish 


CL-PKE 


3P+1S+1E 


1P+IS 


2 Points 


V-IBE 


3P-I-1S-I-1E 


1P+1S 


2 Points 


B-IBE 


1P+1S+1E 


1P+1S 


0 Point 



In both schemes (CL-PKE and V-IBE) entities can save two pairing 
computation in the check procedure by checking an intended entity’s key 
(the nickname in V-IBE or the public key in CL-PKE) once and save 
one pairing operation by pre-computing g before sending more than one 
message to the intended entity. 

A good property of our scheme is that it cooperates seamlessly with 
the original IBE system. In fact, the original IBE can be deemed as a 
V-IBE with (0,0) (O is the identity of group Gi) as a nickname and 
q as PrKeyR for all entities. If an entity wants to use the “nickname” 
system, it can use the original IBE implementation by slightly modifying 
the existing functions to include the presented extension. After that, 
all that an entity needs to do is to select a private key t and publish 
(tP, tP pub ) by itself or via a directory service. If a peer entity does 
not support the nickname system in a crypto-protocol, the entities can 
degenerate the security scheme to the basic IBE scheme gracefully. To 
do this the check procedure needs a minor modification to allow N\,N 2 £ 
Gi instead of G*. 

9 Conclusion 

By introducing anew concept “nickname”, we modify Boneh-Franklin's 
IBE scheme to remove the inherent key escrow function. We find that 
the new scheme inherits the basic property of the IBE system to enable 
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part of the public key to be an arbitrary string, but at the same time re- 
moves the key escrow function without necessarily increasing the PKC’s 
burden. Using this variant we extend a signature scheme and an authen- 
ticated key agreement to remove the key escrow property. We also show 
one method to integrate our scheme into a hierarchial identity-based 
public key encryption system. 
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Abstract A Boolean function is called normal if it is constant on flats of certain dimen- 
sions. This property is relevant for the construction and analysis of cryptosys- 
tems. This paper presents an asymmetric Monte Carlo algorithm to determine 
whether a given Boolean function is normal. Our algorithm is far faster than the 
best known (deterministic) algorithm of Daum et al. In a first phase, it checks 
for flats of low dimension whether the given Boolean function is constant on 
them and combines such flats to flats of higher dimension in a second phase. 
This way, the algorithm is much faster than exhaustive search. Moreover, the 
algorithm benefits from randomising the first phase. In addition, by evaluating 
several flats implicitly in parallel, the time -complexity ofthe algorithm decreases 
further. 

Keywords: Normality, Boolean Functions, Asymmetric Monte Carlo, Cryptography 

1. Introduction 

1.1 Motivation 

Boolean functions and maps play a central role in cryptology. They are basic build- 
ing blocks of bit-oriented block and stream ciphers. In order to construct secure cryp- 
tographic ciphers, i.e., ciphers which resist all known attacks, it is important to study 
the structure and behaviour of Boolean functions. 

Normality of a Boolean function is the property which determines if the function 
is constant on a flat of dimension \n/2]. This concept was introduced by Dob94. in 
order to construct highly nonlinear balanced Boolean functions. Later, this property 
was used to distinguish different classes of bent functions. As the first bent function 
which is non-normal occurs for dimension 14 (Can03), we need a highly optimised 
algorithm for determining the normality of Boolean functions. This is non-trivial as 
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the total number of flats increases exponentially for increasing dimension n (MWS9 1). 
Table 1 lists the number of flats of dimension \n/ 2]; this clearly shows that even for 
moderate dimensions (n > 13 . . . 15) establishing normality by exhaustive search is 
infeasible. 



Table I. The number of flats of dimension [ f ] to test for different dimensions n 



n 


8 


9 


mem 


Ell 


e a 


EH 


EH 


EH 


ra 


EH 


■H 


MEM 


mrm 


log 2 (# flats) 


22 


26 


32 


37 


44 


50 


58 


65 


74 


82 


92 


1 ioi 1 


1 12 | 



1.2 Related Work 

The first attempt for determining the normality of a Boolean function, better than 
exhaustive search, is due to DDL03. The main idea of their algorithm is to search 
exhaustively all flats of small dimension on which the function is constant and then to 
combine these to flats of higher dimension. 

1.3 Achievement 

In our algorithm, we replace the exhaustive search through all flats of small dimen- 
sion by a random search. This has several advantages over the algorithm of Daurn 
et al. First, we do not need a unique representation of flats which means less condi- 
tions to test and therefore a lower time complexity. Second, the number of repetitions 
needed to determine with high probability that a function is non-normal, is far smaller 
than an exhaustive search on all flats of small dimension (cf Sect. 4.2). Our algorithm 
is of the asymmetric Monte Carlo type and may output “non-normal” with probability 
2 -c for a normal function and some confidence level c € N. The output “normal” is 
always correct. This asymmetric Monte Carlo algorithm has a far smaller running time 
than the deterministic algorithm of DDL03 — even with a reasonable error-probability 
(c = 80 in our case). 

1.4 Outline 

This paper is organised as follows. In Sect. 2, we introduce the basic definitions 
together with a description of the main ideas in our algorithm. Sect. 3 presents more 
details and explains several optimisations for our algorithm. In Sect. 4, we give a 
detailed complexity analysis of the algorithm and compare the total time complexity 
of our algorithm with the time complexity of the previous algorithm from DDL03. 
This paper concludes with Sect. 5. 

2. Background 

In this section we present some definitions and a simplified algorithm to test the 
normality of a Boolean function. 
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2.1 Definitions 

Before we can describe our algorithm, we need to define several objects. We start 
with vectors and vector spaces and finish with some definitions concerning Boolean 
functions. 

Let a vector u G FJ be represented by the n-tuple (u n -i, . . . , Uo) with the coef- 
ficients Ui G F 2 from the field with 2 elements. Let uj", . . . , ujf G FJ be k linearly 
independent vectors. Then they form the base of the subspace 

<U> := <ui , . . . ,Uk> '■= {qiuT © ... © ajfcUfc | a* G F 2 }. 

Here, the dimension of <U> is k. For a given vector a G FJ, we represent the coset 
of this subspace by Us '■= 5© <U>. Throughout this paper, we call the coset Us a 
flat. The vector a of the flat Us is called the offset of this flat. In addition, two flats are 
said to be parallel if they are cosets of the same subspace <U>, i.e., all flats of the 
form Us, 5 G FJJ are parallel flats by this definition. Finally, we denote the set of all 
flats of dimension s by Flat s , i.e., 

Flat, := {Us \ a G F£ , <U> C F£, dim <U>= s}. 

We now move on to Boolean functions. A Boolean function / is a mapping from 
FJ into F 2 . The property of normality for a Boolean function / is defined as follows: 

DEFINITION 1 A Boolean function f : FJ — > F 2 is called normal if there exists a 
flat Ws C F£ of dimension [n/2] such that f is constant on Ws, i.e., VtU G Ws : 
f{w) — cfor some fixed c G {0,1}. We call the flat Ws a witness for the normality of 
the function f. 

As we see from Definition 1, the property of normality is related to the question 
of the highest dimension of the flats on which the function / is constant. As a con- 
sequence, it is natural to generalise the previous definition by the introduction of k- 
normality (DubOl; CarOl): 

DEFINITION 2 For a natural number k : 1 < k < n, a Boolean function / : FJ — + 
F 2 , is said to be "k-normal" if there exists aflat Vs € Flatk such that f is constant 
on Vs. i-e., W € Vk : f(V) = cfor some fixed C € {0,1}. We call the flat Vs a 
"k-witness" for the normality of the function f. 

Remark: It is clear that a constant function /(x) = c, Vx G Fjj , c G F 2 is n-normal. 
An affine function /(x) = a ■ x © b, Vx, a G FJ.fc G F 2 is (n — l)-normal, because it 
is normal on the flats {x : a ■ x © 6 = 0} and {x:a-x©6 = l}of dimension n — 1. 

2.2 A Simple Algorithm 

The previous section shows that it is important for the definition of normality and 
fc-normality, i.e., for a given dimension e := k (fc-normality) or e := Tn/21 (ordinary 
normality), to find a witness Ws G Flat e . To ease the understanding of the algorithm 
of Sect. 4, we start with a highly non-optimised version of it (cf Fig. 1). Both algo- 
rithms are based on the observation made by DDL03, that a Boolean function which 
is constant on a flat Wo is also constant on all flats contained in Ws, i-e.. f\w*~ c f° r 
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Figure 1. Simplified Algorithm for Checking Normality 

Input: function /, start dimension a, end dimension e, repetitions r 

Output: 1 if the function is e-normal 

for i <— 1 to r do 
pick a flat Ua £n Flat., at random 
if — c for some c € {0, 1} then SearchFurther(l/a, e) 
endfor 



procedure SearchFurther(Ua, e) 

c - f\u* 

if dim Ua ~ e then 
OUTPUT 1 
endif 

forall b € \ Us do 

if (/|(/ r = c) then SearchFurther(o © <U,a(B b>,e) 

endfor 

endproc 



some C € {0,1} implies = c for all Vs C Wo. We call the flatVj a sub-witness 
of Wo. 

Our algorithm starts with a randomly chosen flat Ua of dimension s, the starting 
dimension. If this flat is a sub- witness, the function / must be constant on it. So, if 
the function / is constant on the flat U&, this is a possible candidate for a sub-witness 
and we search for a parallel flat Uj, on which the function is constant, too. Both flats 
U; It Us can now be combined to a flat of higher dimension, namely a © <U, a © 6>. 
We repeat this process recursively until we reach the “end dimension” e. In this case, 
we have found a witness Wa and output 1. 

Depending on the “confidence level" c we want to achieve, we need to repeat the 
above algorithm several times. The value for r, i.e., the number of repetitions, depends 
on c. We discuss the choice of r in Corollary 10 (cf Sect. 2). 

3. Optimisations 

After given a short outline of our algorithm, we show different ways of optimising 
it. 



3.1 Complement Vector Space 

There are in total 2 n — 2 s parallel flats Ua, a £ FJ \ < U > for a given subspace 
<U> of dimension a. However, some parallel flats are equivalent as they contain the 
same points. 
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EXAMPLE 3 Consider some parallel flats of the following subspace of dimension 2 
which is defined by <U> := < (0, 0, 1), (0, 1, 0) > C F$. 

( 1 , 0 , 0 ) © <( 0 , 0 , 1 ), ( 0 , 1 , 0 ) > = ( 1 , 1 , 0 ) © <( 0 , 0 , 1 ), ( 0 , 1 , 0 )> 

= ( 1 , 1 , 1 ) © <( 0 , 0 , 1 ), ( 0 , 1 , 0 )> 

= ( 1 , 0 , 1 ) © <( 0 , 0 , 1 ), ( 0 , 1 , 0 )> 

As a consequence, the parallel flats can be divided into equivalence classes. Therefore, 
we use the complement of a subspace <U>, i.e., the subspace <U> which satisfies 

<U> © <U> = FJ and <U> n <[/>= {0}. 

This allows us to determine the representatives of the equivalence classes of the par- 
allel flats, namely the flats Us, for a £<U>. Because the dimension of <U> is equal 
to n — s, there are in total 2 n_a different parallel flats. To compute the complement 
<U > of a given subspace <U> efficiently, we make use of the Permuted Gauss 
Basis (PGB) of a subspace. To define the PGB, we need to introduce the concept of 
left-most-one of a vector first. 

DEFINITION 4 For a given vector u = (u n _ 1 , . . . , Uo), we define the left-most-one 
as the position of the left-most one in its representation: 

u(u) := min{i G {-1, . . . ,n - 1} | Uj = 0 for i < j <n}. 

DEFINITION 5 The vectors uj’, . . . , uf form a PGB basis iff 

v(ul) yf t'(uj), 0 < i < j < n . 

Remark: The name Permuted Gauss Basis is motivated as follows. Thinking about 
the base vectors uj", ... , ujf as a matrix, we would perform Gaussian elimination on 
it, without swapping rows. The result would not be a triangular structure but a row 
permutation. 

For a subspace <[/>, we denote the set of the different left-most-ones of its ele- 
ments 



T (<U>) := Mu) I u G <U> \{0}}. 

The complement <{/> of a subspace <U> where <U> is in PGB can be computed 
as follows: 



<U>— (a G F£ | a* = 0, where i G T(<{/>)} . 

3.2 Random Points instead of Random Bases 

Instead of selecting a random flat with a PGB, we choose (s + 1) points at ran- 
dom. This is cheaper than selecting a vector space at random which satisfies the PGB- 
criterion. In addition, we only need to transfer a set of (*+ 1) points into a PGB if 
the function / is constant on the corresponding flat. As this only happens with prob- 
ability 2 -2 +1 , we obtain very low costs on average. For 8 points, we can compute 
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Figure 2. Algorithm for computing the PGB of a set of points 

procedure ComputePGB(pi ,p„) 

Input: s points p 1 , . . . ,p e 

Output: a PGB of the , . . . , p a 
for k *- 2 to s do 

while v(p k )e MPi).--- <v{p k _ j)}do 
for i 1 to k - 1 do 
if i/fo) = u{p k ) then p*© 4 - p { 

endproc 



the PGB by the iterative algorithm from Fig. 2. The point p 0 is the offset of the flat 
Po © <Pj , . . . ,p s > and has to be reduced as outlined in the previous section. 

Finally, we have to check whether the (s +• 1) points form a flat of dimension s. 
The contrary happens only with very small probability: 

(2 n )(2 n - 1) • • • (2 n - 2*)/2 n ' ( * +1 \ 

Using the following strategy, we can reduce the running time of the algorithm fur- 
ther: instead of picking (s + 1) points at random and evaluate explicitly if they form 
a flat of dimension s on which the function / is constant, we do this implicitly in 
parallel: 

■ Pick (2s + 1) points at random 

■ Evaluate / on these points 

■ if exactly (s + 1) points evaluate to 1 (resp. to 0), check if the corresponding 
flat yields the constant 1 (resp. 0) on the function /. 

This implicit evaluation strategy exploits different observations. First, we assume that 
we can form a total of ttflats := independent flats of dimension s using a set of 

(2a + 1) points. This way, we can decrease the number of repetitions by this factor. 
In addition, we observe that a set of (2s + 1) points will yield at most one flat of 
dimension 8 on which the function / is constant, if (s + 1) points in the set evaluate 
to 1 (resp. 0) on the function /. However, the probability for this event is rather high, 
2 ( 3,+1 ) 

namely Pr( only one flat) := ■ 

But there is a price to pay for this strategy: we always need to perform (2s + I) 
evaluations of the function / and also the same number of random calls. 

Remark: It is natural to generalise this idea to other values than (2s + 1). However, 
in this case we do not obtain such a good trade-off between the factor #flats and the 
workload to check the corresponding flats. The choice (2s + 1) is optimal for the given 
problem. 



3.3 Combining 

In the original algorithm, we searched for all parallel flats and started a recursion on 
each of them. This is obviously superfluous as we will find the same witness several 
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times this way. As we know from the previous section, we will obtain at least 2 e ~ a 
parallel flats [7j— on which the function is constant. Here, e denotes the end-dimension 
and a the start-dimension. 

To avoid this costly computation, we use a different strategy, based on DDL03: 
instead of recursively searching for all parallel flats of higher dimension, we com- 
bine flats of low dimension to obtain flats of higher dimension. This is based on the 
following observation: 

(bt © <U>) U (6j © <U>) = bi © <U,bi © bj> . 

Hence, we only need to consider pairs (6j,6j) e<u> x <u> which lead to the 
same sum and then combine them recursively until we obtain a flat of dimension e. To 
do this efficiently, we introduce 2 n lists (depending on a vector v €F?) which hold 
an offset for each possible sum, i.e., Append (L b< ® b * , b i). In the following section, we 
develop a branching condition for the combine method, which allows to decrease its 
running time even further. 

3.4 Branching 

Let the function / take a constant value C € {0,1} on the flat Us of dimension d. 
Denote with P(Ua) the set of all flats parallel to Us on which the function yields the 
same constant. The following branching condition defined by the cardinality of the set 
P(Ua) has been observed by DDL03. We are able to improve their result by giving a 
shorter proof. 

Theorem 6 If \P{Us)\ < T~ d , we can terminate the current branch of the combine- 
method in <U> without violating its correctness. 

Proof: Let Wj be a witness and Us C Wj its subwitness. Now, there exist exactly 
(e — d) linearly independent vectors uJf, . . . , w e -d £<W> with uTf, . . . , ii) e -d $< 
U > and consequently uJ \, .... W e -d €<U>. These vectors exist due to dimension 
reasons as dimWj = e and ditnC/o = d. Therefore, for any subwitness Us C Wn exist 
2 e ~ d parallel subwitnesses. This implies that \P{Us)\ > 2 e_rf . As a consequence, we 
can stop at any step in the algorithm if this condition is violated because we will not 
be able to extend the flat Us to a witness of dimension e. □ 

4. The Improved Algorithm 

Using the ideas from the previous section, we obtain the algorithm of Fig. 3. The 
method SearchForParallelFlats can be found in Fig. 4 and the optimised version of 
the combine-method is presented in Fig. 5. In the following sections, we analyse this 
optimised algorithm. 

4.1 Complexity Analysis 

We start the analysis of the algorithm with determining the number r of repetitions. 
Then we analyse the complexity of the main loop from Fig. 3, the complexity of the 
SearchForParallelFlats from Fig. 4 and the complexity of the Combine-procedure from 
Fig. 5 in different steps. 
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Figure 3 . Main loop for the optimised algorithm 

Input: function /, start dimension a, end dimension e, repetitions r 

Output: one witness if the function is e-normal 
for i «- 1 to r do 
So <— {}. Si <— {} 
for i <— 1 to 2s + 1 do 

c <- f(p) 

S c U <— {p} 

endfor 

if ((|So| 7^ a + 1) and (|Sj | ^ a + 1)) then continue 

C <- |5l| - 8 

if /I Po®<Po®Pi, .... Po®p.> (P* € s c ,i e {0, . . . , s}) not constant then continue 
a© <U> ComputePGB(p^, ... ,pj) 

If dim<t/> a then continue 
SearchForParallelFlats(<t/ >) 
endfor 



Figure 4 . SearchForParallelFlats for the optimised algorithm 

procedure SearchForParallelFlats(<t/> ) 

<U> <— ComputeComplement(<(/> ) 

L *- 0, c*~ f(a) 
for b € <U> \{a} do 
if /|(y E = c then Append(L,6) 
if \L\ > 2 e ~" then Combine(<t/> ,L) 
endproc 



Number of Repetitions. 

For determining the number of repetitions, we need the following lemma from MWS91, 
concerning the number of subspaces and flats of a certain dimension in a vector space. 

LEMMA 7 The number of subspaces of dimension a in a vector space of dimension 
n is given by 

8 ~ } on— i i 

n - s ) : =n^TTT' 

i= 0 

The number of flats of dimension s in a vector space of dimension n is given by 

NF(n, s) := 2 n - = 2 n ~ s NS(n, a). 

i=0 C 

Before determining a bound on r, we first introduce the term complaisant flat. 
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Figure 5. Combine-method for the optimised algorithm 

Global Initialisation: 
forall a € F? do 

L“ <— 0 

procedure Combine(<[/>, L) 
d <— dim <U> 
if d > e then 
Let a € L 
OUTPUT Ua 
endif 

forall ( bi,bj ) € L x L ■. i < j do 
Append(L 6i ®\ 6,) 
forall ( b i} bj ) € L x L :i < j do 
5 +— bj © bj 
if \L S \ > 2 e ~ d ~ 1 then 
V <-0 

forall b £ L g do 

if 6 e <U, a> then Append(L', 6) else Append(L', a © 5) 
Combine(<U, a>,L') 

endif 
L“ <— 0 

endfor 

endproc 



DEFINITION 8 A flatUa is called complaisant if the function is constant on the flat, 
the flat is parallel to a sub-witness, but the flat is not contained in any witness. 



THEOREM 9 When choosing (s + 1) points Poi • • ■ j P, 6 IFJ at random, the prob- 
ability PF(n, s,e) that the flatUs formed by these (s+l) points pass the first step in 
the algorithm is equal to 

PF(n,s,e) = Pr(Ua is a sub-witness) + Pr(Ua is a complaisant flat) , 



where 



Pr(Ua is a sub-witness) 
Pr{Ua is a complaisant flat) 



n 

i=l 



2 e - 2* 
2 " 



i-l 



_ 2 . +1 2 n ~ e NS(n,a) — NF(e,s) 
NS(n, a) 



In the above formula, e is the dimension of the witness. The formulas for and 

NF(- ,•) are given in Lemma 7. 
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Proof: We first determine the probability that the flat Ua is a sub-witness. This 

probability is justified with an inductive argument on the dimension of the sub- witness: 
for one point ( i.e a flat of dimension 0), the probability of being a sub-witness is jtr. 
Here, the witness has 2 e points. This probability is also true for extending the sub- 
witness from dimension (i — 1) to dimension i (we have 1 < * < a). In addition, we 
have to consider the case p i S p 0 + <Pi, ■ • ■ (.£., the new point p, lies in the 

sub-witness of dimension ( i — 1) generated by the points p 0 , . . . ,Pj_j. 

The probability that Us is a complaisant flat is equal to the probability that the 
function is constant on Ua times the number of flats which are parallel with a witness 
but not part of a witness. This is exactly expressed in the formula. □ 

>From the previous theorem and the implicit evaluation strategy as described in 
Sect. 3.2, we can deduce the following corollary. 

COROLLARY 10 For a given start dimension s and an end dimension e, we need at 
most 

Rep{n, a, e, c) = PF ^ S ^ ' p r (only \ flat)# flats 

repetitions to achieve a confidence of 2~ c that the function f is not e-normal. 

Table 2 shows some numerical values ofr in log 2 . In this and all following tables, 
we concentrate on even choices for n and fix e = as these cases are particularly 
relevant in cryptography. 

Table 2. Number of repetitions (in log 2 ) for different values of n and s 



s\n 


8 


10 


12 


14 


16 


18 


20 


2 


15.49 


18.35 


21.28 


24.25 


27.23 


30.22 


33.22 


3 


18.68 


22.31 


26.14 




34.02 


38.00 


41.99 


MM\ 




26.11 


30.72 


35.54 






50.38 



Complexity of the main loop. 

Obviously, picking (2a + 1) random points and checking if the function is constant for 
a given flat, will be the most expensive operations. Therefore, we start with a lemma 
on the average complexity for checking that a function is constant on a given set of 
points. 

LEMMA 1 1 For a given random function f : F 2 — * F 2 and a given set of points 
P C F£, the algorithm from Fig. 6 needs on average 3 evaluations off to check if this 
function is constant when restricted to vectors in the set P. 

Proof: The average number of evaluations depends on the number of points p := |P| 
of this algorithm; it is given by 

E <v) ■= E (*' + J ) + P = 3 - ^2 • 

t=l 
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Figure 6. Algorithm to determine if a function is constant on a set of points 

Input: function /, a set P with p := |P| points 

Output: 1 if / is constant on P and 0 otherwise 

Let q x € P,c<- /(gj) 
for q € P \ {?! } do 
if/® 7 ^ c then OUTPUT 0 
OUTPUT 1 



To justify this formula, we observe that we need to evaluate / at least once to obtain 
the constant c. As the function is a random function by definition, we have a proba- 
bility of 5 to obtain a different constant for every further evaluation, i.e., to terminate 
this algorithm. After checking a total of p points, the algorithm terminates. For this 
last check, we still have a probability of | to output 0. However, the workload of 
outputting 0 or 1 is exactly the same, namely p evaluations. □ 

As a consequence, the complexity of the main loop so far depends on the costs of 
picking the (2s + 1) random points, evaluating the function / on the corresponding 
flat with probability Pr(Only one flat) and some other negligible operations whose 
complexity we set to one, i.e., (2s + l+3Pr(Only one flat)+l)r, where r represents 
the number of repetitions. We obtain the following values (log 2 ) if we evaluate the 
above formula numerically (cf Table 3). 

Table 3. Numerical results for the time-complexity (in log a ) of the main loop 



n 


s = 2 


s = 3 


s = 4 


3 = 5 


8 


18.47 


21.95 






10 


21.33 


25.58 


29.63 




12 


24.26 


29.41 


34.24 


39.12 


14 


27.23 


33.33 


39.06 


44.72 


16 


30.21 


37.29 


43.97 


50.53 


18 


33.20 


41.27 


48.93 


56.44 


20 


36.20 


45.26 


53.90 


62.40 



Complexity of the SearchForParallelFlats-method. 

From a computational point of view, the for-loop is very expensive, as we have to 
check 2 n_a — 1 parallel flats every time. However, each flat costs only 3 operations on 
average (cf Lemma 11). In addition, we only need this for-loop in 2 _aS+1 of all cases 
as this is the probability that the function is constant on the corresponding flat. The 
other steps in the method are negligible in comparison to the for-loop. We therefore 
identify their average workload as 1. Consequently, the complexity can be approxi- 
mated by (l+3-(2 ~* s+l Pr(only one flat))2 n ~ 2S ~ s+1 )r for the Search For Parallel Flats- 
method, where r denotes the number of repetitions. Numerical values for the time- 
complexity (in log 2 ) of the SearchForParallelFlats-method are presented in Table 4. 
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Table 4. Numerical results for the time-complexity (in log 2 ) of the SearchForParallelFlats- 
method 



n 


s = 2 


s = 3 


5 = 4 


5 = 5 


8 


19.50 


19.18 






10 


24.28 


23.71 


26.11 




12 


29.20 


29.06 


30.73 


35.38 


14 


34.16 


34.83 


35.60 


40.98 


16 


39.14 


40.75 


40.69 


46.79 


18 


44.13 


46.72 


46.20 


52.70 


20 


49.13 


52.71 


52.37 


58.66 



Complexity of the Combine-procedure. 

The complexity analysis of the combine-procedure is a little more tricky. In particular, 
we have to deal with the problem that its complexity depends quadratically on the 
number ofparallel flats we find, i.e., the number |P(C/o)| for a given flat Ua ■ Therefore, 
we cannot simply take the average number of flats for this analysis as the result does 
not reflect the real time complexity of this algorithm. In addition, we have to deal with 
the branching condition (cf Sect. 3.4). 

As we did not expect to find a closed formula for the time complexity of the 
combine-procedure, we used MAG to compute it numerically. As all computations 
are done with rational numbers, there are no rounding errors in MAGMA. In particu- 
lar, we computed the probability for the different numbers of parallel flats we obtain 
in the searchForParallelFlats-method. We only took numbers > 2 e-s into account 
(cfThm. 6) and neglected levels of recursion which appear with too small probability 
« 2 -40 ), due to the branching condition. In addition, we truncated the sum at points 
which did not contribute to the overall workload anymore (expected workload smaller 
than 1). We present the corresponding values (log 2 ) for different choices ofn and s in 
Table 5. 

Table 5. Numerical results for the time-complexity (in log 2 ) of the Combine-method 



n 


8 = 2 


8 = 3 


5 = 4 


5 = 5 


MM 


24.17 


15.97 






MM 


31.15 


22.87 


«0 




mvm 


38.03 


15.76 


»0 


«0 


MSM 


44.97 


23.68 


«0 


«0 


mm 


51.93 


35.02 


«0 


«0 


mm 




43.34 


k0 


ssO 






51.33 


saO 


«0 



These computations were matched by our empirical results. In particular, the 
branching condition proved to be very powerful for s > 3 and n > 12 (note dif- 
ference between n = 10 and n = 12 for s = 3). In these cases, we never needed 
a recursive call of the combine-method for non-normal functions. In addition, the 
probability for a function to be constant on a given flat decreases exponentially with 
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increasing dimension of the flat. Therefore, we expect to find less than 2 e ~‘ flats for 
a > 4 and n < 20 which means that the combine-method is never invoked in these 
cases (fields with « 0 in the above table). 

All in all, it is necessary to chose the starting dimension a correctly, i.e., high 
enough such that the combine-method is still efficient and low enough such that Search- 
ForParallelFlats and the main loop do not need too much time. For dimension n > 10, 
the choice a — 3 turns out to be optimal (cf Fig. 7 for the case n = 16). 

Figure 7. Time-complexity for the main loop (•), SearchForParallelFlats (*), and the 
combine-method (x) for dimension n = 16 and varying s 



time 

l°g 2 
40 -- 



20 



X 



★ 



★ 



★ 



+ 

5 



a 



Asymptotic Analysis. 

Here we sketch the asymptotical analysis of the above algorithm: we begin with the 
observation that for large n and subsequently large 8, the running time will only de- 
pend on the number of repetitions necessary. We justify this reasoning as follows: as 
we saw for the combine-method, we have a very powerful branching condition, i.e., 
asymptotically, this part will not contribute to the overall complexity. The same is true 
for the search of parallel flats: we have a complexity ofO(2<- 2 ' +1 >( n -*>) here, i.e., 
negligible for n — > 00. In addition, we cannot use the implicit evaluation strategy 
anymore in the asymptotic case, as we obtain a rather small probability for having 
exactly one flat a — ♦ OO. Therefore, we drop the corresponding term in our asymptotic 
analysis. For our analysis, we chose a = jn and e = and obtain the following 
asymptotically upper bound on the number of repetitions and thus the running time of 
the algorithm: 

Rep{n, in, ~n , c) = 0(c.2i n3+ ? n ) , 

where c is the target confidence level. To obtain this upper bound, we observe that 
the probability to have a complaisant flat is asymptotically very small. In addition, 
we notice that for large n the factor 2 e-n+ *( e-1 ~ n ) is a tight lower bound on the 
probability PF(n, a, e). Using Theorem 9 and Corollary 10 yields the result. 
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4.2 Comparison with the Algorithm from Daum et al. 

In Fig. 8 and Table 6 we compare the time complexities of our algorithm with that 
of DDL03, for computing the normality of a function in dimension n. We are not 
aware of an asymptotical analysis of the algorithm from DDL03. 

Figure 8. Time-complexity (in log 3 ) of this paper (*) and from DDL03 (•) 
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The time complexity of algorithm ofDDL03, is computed using the formulas given 
there. According to these results, we expect that it is outperformed by our algorithm 
for increasing dimension n. 

Table 6. Comparison of the time-complexity (in log 2 ) 



El 


8 1 


Daum el al. 


Our alg. 


14 


o 


42.58 


44.97 




H 


as 46 


35.27 




n 


ss 52 


39.18 


16 


mm 


51.58 


51.93 




is 


a 54 






Kfl 


as 62 


44.11 



mm 


n 


Daum et al. 


Ktllll.IMB 


18 


mm 


61.17 






mm 


61.01 






D 


>61 


49.13 


20 


mm 


msn 


> 55 




Kfl 


K£S 


>55 




El 


>21 


54.33 



4.3 Empirical Results 

We have implemented our algorithm in a programme with 14,000 lines of C++ 
code. Checking random functions on an AMD Athlon XP 2000+, we obtained the 
following results for e = ^ (normality) and S = 3l 



n 


10 


12 


14 


16 


time [min] 


0.248 


1.21 


42.6 


2880 



As we see in this table, the running time gets quickly out of hand. According 
to DDL03, their programme needs approximately 50 h on a Pentium IV 1.5 GHz 
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for the case n = 14. Our algorithm needs approximately 43 min for n = 14 and 
approximately 2 d for n = 16. Using the complexity analysis of DDL03, we expect a 
running time of more than a year for their algorithm to handle functions of dimension 
n — 16. We also estimated (empirically) the running time for the cases n = 18, 20 
and obtain 2.5 years and 130 years, respectively. 

For our C++ implementation, we have included several improvements: 

Combinatorial Gray codes. In order to compute vectors more efficiently for a 
given basis, we used combinatorial Gray codes (Sav97) and computed all intermediate 
values in a Gray code like fashion. This way, we only needed one computation on 
average rather than ^ when computing elements of the vector space <[/>. 

Optimised Pseudo-Random Number Generator. As the programme spends 
approx. 60% of its time computing random numbers, we concluded that it could 
benefit from a fast way of generating pseudo-random numbers. However, due to the 
high number of repetitions, we still need a long period for the pseudo-random number 
generator. To meet both aims, we used a pseudo-random number generator from Rho 
which combines a multiply with carry generator and a simple multiplicative generator. 
It achieves a period of more than 2 60 , has good statistical properties, and is also very 
fast according to our measurements. For the future, tests with the cryptographically 
secure pseudo-random number generator using Shamir’s T-functions class (KS04) are 
planned. 

Function storage. For the Boolean function to be checked, we can use several 
ways of storing it: bit-wise, byte-wise or in processor-words (32 bit). To make the 
best use of the internal cache of the processor, a bit-wise storage turned out to have 
the best performance for dimensions n > 12. For dimensions n < 10, an word-wise 
storage was clearly better as we do not have the overhead of retrieving single bits from 
a word. 

5. Conclusions 

In this paper, we present a fast asymmetric Monte Carlo algorithm to determine the 
normality of Boolean functions. It uses the fact that a function which is constant on a 
flat of a certain dimension is also constant on all sub-flats of lower dimension. In ad- 
dition, we evaluate “parallel” flats using the implicit evaluation strategy (cf Sect. 3.2). 
Starting with flats of dimension 8 and combining them until a flat of dimension e is 
obtained, we achieve a far lower time-complexity than with exhaustive search on flats 
of dimension e. 

In particular, this algorithm is far faster than the previously known algorithm (43 
min in comparison to 50 h) for dimension 14 (cf4.2). Moreover, it is the first time that 
the important case n = 16 can be computed on non-specialised hardware in 2 days 
(previously: more than a year). Using the fact that our algorithm can be parallelised 
easily, this figure can even be improved and we can even handle the case n = 18 (16 
computers in 8 weeks). For scientific purposes and at present, n = 20 seems to be out 
of reach as it would take 128 computers about 1 year. 
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Abstract Reversible circuits are a concrete model of reversible computation with applica- 
tions in areas such as quantum computing and analysis of cryptographic block 
cyphers. In 1980, Toffoli showed how to realize a Boolean function by a re- 
versible circuit, however the resulting complexity of such circuits has remained 
an open problem. We investigate the reversible circuit complexity of families of 
Boolean functions and derive conditions that characterize whether a polynomial 
realization is possible. 

First, we derive sufficient conditions on families of Boolean functions that 
guarantee a polynomial-size reversible circuit realization. Namely, we show 
that if a Boolean function can be embedded into an even parity permutation 
that has a polynomial-size cycle representation, then the Boolean function can 
be realized by a polynomial-size reversible circuit. Furthermore, we provide 
a construction for the realization. Second, we provide concrete realizations for 
several families of Boolean functions, such as the adder, incrementor, and thresh- 
old functions, which do not necessarily satisfy the preceding condition, but still 
have polynomial- size realizations; this is important because such realizations 
will necessarily form the building blocks of quantum computers. 

Keywords: Reversible computation, circuit complexity, Boolean functions 

1. Introduction 

Reversible circuits, introduced by Landauer [Lan61] and formalized by Toffoli and 
Fredkin [Tof80, FT82], are a concrete model of reversible computation that have 
come to prominence in the last few years; their applications range from quantum 
computing [BBD+95], where reversibility is a prerequisite, to analysis of crypto- 
graphic block cyphers [Cle90, EG83], which use primitives that are nearly identical 
to those comprising reversible circuits. Reversible computation is based on a notion 
of equivalence between information and entropy that was formalized by Shannon and 
Weaver [Sha48, SW49], but dates back to Maxwell’s Demon [Max71] and the work 
of Szilard [Szi29], Namely, the operations comprising a reversible computation may 
not discard any information during the course of the computation. In this paper we in- 
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vestigate the reversible circuit complexity of families of Boolean functions and derive 
conditions that characterize whether a polynomial realization is possible. 

Reversible circuits on n lines (wires) realize permutations on the Boolean cube of 
dimension n. In 1980, Toffoli |Tof80] showed how to embed Boolean functions into 
permutations and thus, be realizable by a reversible circuit. Namely, an «-adic Boolean 
function can be embedded into a permutation on a Boolean cube of dimension n + 1 . 
However, just as in the case of classical circuit complexity, the complexity of the 
corresponding reversible circuit is difficult to determine. Some results were obtained 
by Cleve [Cle90], who showed that polynomial length compositions of D.E.S.-like 
cipher functions — function generators, of fan-in 2 — can compute NC 1 . The construc- 
tion is reminiscent of Barrington’s [Bar86] proofthat width-5 permutation branching 
programs compute NC 1 . The point ofCleve’s investigation was to determine if such 
ciphers could be used as pseudorandom generators. 

Alternatively, since most Boolean functions are irreversible, the reversible circuit 
complexity of a Boolean function is directly related to the complexity of simulating 
irreversible computation reversibly. Bennett [Ben73] first described two simulation 
techniques, within the context ofTuring machines, that used additional space to record 
a check-point based history of the simulation. The first simulation used O(T) time and 
0(S + T) space to reversibly simulate a computation that takes T time and S space; 
the second simulation used 0(T 2 ) time and 0(5 log T) C 0(5 2 ) space. The latter 
simulation was later refined to use 0(7' I+E ) time and 0(5 log T) space [Ben89, LS90]. 
Although Bennett’s constructions are of the same spirit as the circuit constructions of 
Toffoli [Tof80], it is the space parsimonious reversible simulation ofa Turing machine 
by Lange et al. [LMTOO] that mostly closely resembles the n-line reversible circuit 
model. 

We show that any even parity permutation on an ^-dimensional Boolean cube 
whose cycle representation is of size j can be realized by a reversible circuit of size 
0(sn). The key corollary is that any Boolean function that can be embedded into a per- 
mutation with a polynomial size cycle representation, can be realized by polynomial 
size reversible circuit. Furthermore, the proof is completely constructive, yielding a 
simple methodology for designing reversible circuits. 

In many cases this bound is not tight because there are many families of func- 
tions, such as the incrementor, whose corresponding permutations have exponentially 
large cycle representations, but polynomial-size circuit realizations. We exhibit sev- 
eral families of functions with such characteristics and derive realizations for them. 
Particularly, we focus on functions that are commonly implemented in hardware and 
will necessarily need to be implemented as part of a quantum computer, i.e., reversibly. 
We consider several families of functions, including incrementors, adders, consensus, 
and threshold functions. 

In Section 2 we formally define the reversible circuit model and describe how 
Boolean functions are embedded within permutations on the Boolean cube. In Sec- 
tion 3 we prove our main result and in Section 4 we provide concrete constructions 
for several families of Boolean functions. Section 5 summarizes some of the tech- 
niques for constructing reversible circuits and finally, section 6 places our results in 
the greater context and provides some future directions. 
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2. Background 

Reversible circuits comprise a number of wires, called lines, and reversible gates 
that operate on the lines. The lines cany binary values, 0 or 1, which are placed on 
the lines’ input terminals, are modified by gates operating on the lines, and are read 
off the lines’ output terminals; by convention, the input terminals are on the left side 
and the output terminals are on the right (see Figure 1). Each gate operates on at most 
three lines. All but one of the lines pass through the gate unmodified and are called 
control lines. The remaining line, called the toggle line is XORed by the gate with 
the conjunction of the values of the control lines. Each gate realize a bijection on the 
Boolean cube and each gate is also it’s own inverse. 

Let B„ — {0,1}" denote the Boolean cube of dimensions, let x G B n denote ann-bit 
vector, and let jq denote the ith bit of*. A reversible circuit C, on n lines, is specified 
by a sequence of m gates, C = g\g 2 ■ ■ -gm'- the gates are the NOT gate, denoted ©,•; the 
controlled-NOT gate, denoted ®/ ; and the Toffoli gate, denoted ®{ A *, where j,k 6 [n] 
specify the control lines and i € [n] specifies the toggle line. In the nomenclature of 
Coppersmith and Grossman [CG75], the three gates correspond to the 0-, 1-, and 2- 
functions, respectively. For example, the circuit in Figure 1 comprises two Toffoli 
gates and two NOT gates. 

The output of circuit C on input*, is denoted C(x), and the composition and inverse 
of circuits corresponds respectively to the concatenation and reversal of the circuits’ 
gate sequences; we write CC' to denote the concatenation of two circuits and C -1 to 
denote the inverse of C. Each reversible circuit realizes a permutation on the Boolean 
cube B n , corresponding to an element of the symmetric group Si"- We write C ~ 
O € Si" if C realizes permutation O and we write C ~ C' if C and Cf realize the same 
permutation, e.g., C~ (1 23). For conciseness, we assume that circuit C( X yz) ~ (*yz), 
x,y,z € B n and in general that circuit C 0 ~ O. 

We often use a notion of a controlled circuit in our constructions. An ©-controlled 
circuit, denoted C^\ performs two different permutations depending on the value of 
line i, leaving the value of line i unchanged. If line i has value 1, the circuit performs 
a fixed permutation, otherwise the circuit performs the identity permutation. Analo- 
gously, a (j)-controlled circuit performs a fixed permutation only if the value of line 
(i) is 0. In general, a circuit is x-controlled, for some jc £ 5* and k < n, if the circuit, 
denoted C x , is controlled by a fixed subset of control lines of size k. If the lines hold 
the value x, then C® performs a fixed permutation, leaving the control lines unchanged, 
and performs the identity permutation otherwise. For example, the circuit in Figure 1 
is a (3)-controlledcircuit, 




Figure 1. 



The circuit C = ® 3 ©2 A3 ©? A3 ©3 - 



• (123). 
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For conciseness, we use several schematic short forms. First, the £-line controlled 
Toffoli gate, k < n - 1, which computes the conjunction of k lines and XORs the 
output line. A Mine controlled Toffoli (A-Toffoli) gate can be constructed using 0(A) 
Toffoli gates [BBD+95] and is illustrated in Figure 2a. Second, the controlled A-NOT, 
comprises k controlled-NOT gates that are all controlled by the same line. In most 
cases, we will be using the controlled (n - l)-NOT, which is illustrated in Figure 2c. 
Additionally, we use blocks to denote a component of a circuit: a component may 
either be simple (Figure 2e); controlled (Figure 2d), i.e., controlled by another line; 
or a A-function (Figure 2b), i.e., XOR a line with a Boolean function computed on k 
other lines. The controlled A-NOT and the A-Toffoli gate are examples of a controlled 
component and a A-function. 

The size of circuit C, denoted |C| is the number of gates comprising C. The depth 
of C, denoted d(C) is the length of the longest path through the directed acyclic graph 
induced by circuit C: the lines correspond to right-oriented arcs, the gates correspond 
to vertices of equal indegree and outdegree, the input terminals correspond to vertices 
with indegree 0, and the output terminals correspond to vertices of outdegree 0. Two 
gates are pairwise independent if there is no path from one to the other in the induced 
graph. Since the number gates that are all pairwise independent is at most n, the depth 
of a circuit is at most a factor of/; less than the size, i.e., |C|/n < d(C) < |Cj. Finally, 
the size of the cycle representation of a permutation 0, denoted |o|, is the number of 
points in the permutation that are not fixed, e.g., a transposition has size 2. 

2.1 Embedding Boolean Functions 

To realize a Boolean function by a reversible circuit, the function must first be 
embedded into a permutation, because reversible circuits can only realize permutations 
on the Boolean cube. In the spirit of Toffoli [Tof80], an (n + c)-embedding of an n- 
adic Boolean function/ is a permutation 0 on an n + c dimensional Boolean cube such 
that if y = GX, for any input x (padded with zeros), then_y n+c = /(*)• The embedding 
is said to be input-preserving if*,- =yi, for all i G [n], i.e., the embedding preserves 
the input. 

In many physical contexts, such as quantum computation, using additional lines — 
in addition to the n lines containing the input — is expensive. Thus, we restrict our 
attention to embeddings that use the minimum number of additional lines: c < 2. Un- 
less /is linear in some variable Xj, i.e., f{x) = g(jti,...,x,_i,;c, + i,. .. ,x„) ® Jt„ an 
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Figure 2 

a) A A-Toffoli gate; 

b) a A-function component; 

c) a controlled n-NOT; 

d) a controlled component; 

e) a simple component. 
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input-preserving /j-embedding of/does not exist; and, if/is unbalanced, there does 
not exist any kind of n-embcdding of/[Tof80], Thus, in most cases we consider re- 
alizations of(n + l)-embeddings, i.e., c = 1. In fact, ifwe require an input-preserving 
embedding of an unbalanced function with an odd number of satisfying assignments, 
only an (n + 2)-embedding will suffice. 

If fis Boolean function of the form / : B n -4 B*, 1 < k < n, a similar criterion can 
be derived. However, many such functions do not have an (n+c)-embedding, where c 
is a constant [Tof80]. For example, the multiplication function, which takes two «-bit 
strings and yields a 2 n bit string, does not have a m-embedding where m < An ! 

On two occasions we consider functions that are of the form / : B„ — I B n , e.g., the 
incrementor (counter) function that maps z — > z + 1 mod 2". In this case, even if/ 
is a bijection, a corresponding n-embedding does not exist because the corresponding 
permutation has odd parity. For n > 3, odd parity permutations cannot be realized by 
a reversible circuit that comprises NOT, controlled-NOT, and Toffoli gates [CG75], 
However, an ( n + l)-embedding of even parity is possible, and hence can be realized 
by a reversible circuit on n + 1 lines. 

The reversible circuit complexity of a Boolean function/, is the minimum over all 
circuit realizations of all possible embeddings off. However, determining reversible 
circuit complexity of realizing a permutation is not obvious. In the next section we 
characterize families of permutations, and hence families of Boolean functions, that 
have reversible circuit complexity which is polynomial in n. 

3. The Main Result 

In this section we prove the following theorem: 

THEOREM 1 Any even parity permutation O on B n , can be realized by an n-line cir- 
cuit of size 0(|o|n). 

The proof comprises three parts: first, we prove that given a circuit that realizes 
a permutation that is represented by a single 3-cycle, the circuit can be modified to 
realize any other 3-cycle and that the modifications can be accomplished with 0(ri) 
gates. Second, we show that the 3-cycle (012) can be realized by a reversible circuit 
on n > 1 lines that is of size O(n). Third, we note that any even parity permutation 
whose cycle representation is of size s can be factored into O(s) 3-cycles. Combining 
these three facts yields the result. The following lemma and its corollary form the 
heart of the first part of the proof, which is summarized in Theorem 4. 

LEMMA 2 Let C( 0 12 ) be a reversible circuit on n lines. For any x,y G B„, x ^ y 
and x,y 7 ^ 0, there exists a reversible circuit C of size O(n), such that the circuit 

CC^\2)C~ [ ~C ( 0 ^). 

Proof: Select two lines i and j, setting u = XiXj, V ~ytyj, U,v £ B 2 , such that U ^ V 
and u,v £ {1,2,3}. Such a choice is possible, otherwise x = 0,y = 0,or x=y, none 
of which can happen because (Oxy) is a 3-cycle. Call lines i and j the control lines. 
The circuit C consists of three stages. Stage one comprises W-M Toffoli gates plus 
M-M Toffoli gates. The first subsequence is bracketed by a pair of NOT gates on 
line i (j) if Xi (xj) is 0; the second sequence is analogously bracketed if yi (yj) is 0. For 
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each *7 i U> if jcjt =r 1 aToffoli gate ©j^, controlled by lines i and j, toggles line k. 
The second subsequence ofToffoli gates is analogously specified. Thus, on input* or 
y, all lines but lines i and j are toggled to 0. 

Stage two swaps line i with line 1 and line j with line 2. This can be done using 
0(1) gates. Finally, stage three manipulates lines 1 and 2 since these lines now hold 
the value of the control lines. If« ^ 1 and v ^ 2, then stage three maps u to 1 and v to 
2; this also takes 0(1) gates. Therefore, circuit C maps input 0 to 0, input* to 1, and 
input y to 2, using 0(\x\ + \y\)CO(n) gates. The circuit may permute other points in 
fl„,but this is of no consequence. 

Since C~ (*1 ... v2...), composing circuit CwithCjo ( 2 ) in the form of a conjugate 
yields 

CC ( 0 , 2) C-' ~ (x 1 . . .y2. . ,)(0 1 2)(x 1 . . .y2 . . = (Oxy) ~ C [0xy) , 

which completes the proof. ■ 

COROLLARY 3 Lei C(Q xy ) be a reversible circuit on n lines. There exists a reversible 
circuit C of size 0(n), such that the circuit CC^Q xy )C~ l ~C(oi 2 )- 

Theorem 4 follows easily from the lemma and the corollary. 

Theorem 4 (3-cycle Hardness Theorem) IfC( xyz )is a reversible circuit on 
n lines, then for any distinct x' ^ ^ E B n , there exists a circuit C of size O(n), such 
that CC( xyz )C 1 ~ 

Proof: Since XORing the input with a constant bit vector can be performed by 

0(ri) NOT gates, we can transform C( xyl ) into Copt, where y = y © x and z = z © 
X. Similarly, for a circuit C(oyf), where /=y©*' and 2 ~ f ©*', can be trans- 
formed into using 0(n) gates. Let C x be the circuit comprising |x| NOT gates 

such that C x C (xyz) C-' ~ C^p x ) and correspondingly let Cy be such that ~ 

Ct'Cfoyf'jQ/ -1 . 

By Corollary 3, C( qj>z) can be transformed into C(o 1 2 ) and by Lemma 2, this circuit 
can be transformed into Cjoy?), also in 0(n) gates. Let C) and C 2 be the circuits such 
that C( 0 1 2 ) ~ Cj C m) C; 1 and C( 0 y y) ~ C 2 C( 0 1 2 )Cf 1 . Since 

C(j<y 7> ) ~ Q < C 2 C| C x C( xyz ) Cf 1 C f 1 Cf 1 C X I ~ 1 , 

setting C = CyC2CiCr, which is of size 0(n), completes the proof. ■ 

Thus, all 3-cycles are equally hard to realize in the sense that, given a polynomial 
size realization of one 3-cycle, any other 3-cycle can be realized by using an additional 
0(n) gates. The second step of the proof. Theorem 5, shows how a 3-cycle can be 
realized by a reversible circuit of size 0(n). 

THEOREM 5 For n > 1 there is an n-line reversible circuit C(o ] 2 ) of size 0(n). 

Proof: If 1 < n < 3 we can construct a reversible circuit that realizes any permutation 
and uses a constant number of gates [CG75]. 
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For n > 3, observe that permutation (012) may be factored into Xj = (0 0(63) and 
t 2 = (02)(63). Thus, we need only demonstrate that permutations X) and X 2 can be 
realized in O(n) gates. 

First, the permutation (01)(23) (respectively (02)( 13)) may be realized by 0(n) 
gates. The circuit comprises three stages: a negation, followed by a toggling, followed 
by a negation; each stage requires 0(n) gates. Stages one and three negate the n - 
2 lines 3 The middle stage comprises an ( n - 2)-Toffoli gate, controlled by 
lines 3 that toggles line 1 (respectively line 2). Let C (0I)(23) ~ (°1)(23) and 
C(02)(!3) ~ (02)(1 3) respectively. 

Next, we construct a reversible circuitC(oi)( 63 ) that realizes permutation (01)(63). 
The reversible circuit Co,=©|©l A2 © 1 realizes a permutation that transposes 2 and 
6 and whose fixed-points include all points that are congruent to 0, 1, or 3 modulo 4. 
SinceOi(01)(23)Oi = (01)(63), thereforeC( 0 |)( 6 3 ) = C'o,C( 0 |)( 23 )C , o, -1 . 

Similarly, we construct C(o2)(63)- The circuit Co 2 = ©2 ©] A2 ©2 transposes points 
1 and 5, with the fixed-points comprising all points that are congruent to 0, 2, and 3 
modulo 4. Using conjugation, we construct circuit C(o 2 )( 53 ) = C<j 2 C(o 2 )(] 3 )C 0r The 
circuit Cp = ®f A3 ®j A3 ©f A3 , switches the values of the lines 1 and 2, using line 3 as 
the control. Permutation p transposes 5 and 6; only points congruent to 5 or 6 modulo 8 
are permuted. Since P(02)(5 3)p — 1 = (02)(63), therefore C (02 )(63) =CpC( 0 2)(S3)Cp '• 

The required circuit is C(q 12 ) = C(o I )(6 3)^-(0 2)(63) is of size 0(ri). ■ 

In conjunction with Theorem 4, we get the following two corollaries. 

COROLLARY 6 Any 3-cycle can be realized by a reversible circuit on n > 1 lines of 
size O(n). 

COROLLARY 7 A permutation on B , | comprising two disjoint transpositions, can be 
realized by a reversible circuit on n lines of size O(n). 

Proof: This follows from the fact that ( ab)(cd ) = (abc){cad). ■ 

We note that every even parity permutation O can be factored into |o| — 1 transpo- 
sitions and that by Corollary 7, any pair of transpositions can be realized with 0(n) 
gates. Hence, every even parity permutation C has a reversible circuit realization of 
size 0(\a\n), which is the statement of Theorem 1. Thus, any Boolean function that 
has an embedding with a polynomial size cycle representation can be realized by a 
polynomial size reversible circuit. Unfortunately, the converse is not true. There are 
many families of Boolean functions, such as the negation of a projection, and the in- 
crementor, that have an exponential size cycle representation but a concise reversible 
circuit realization. In the next section we detail realizations for several of such families 
of functions. 

4. Applications: Concrete Realizations 

Two common families of functions that are ubiquitous in digital circuits are the 
incrementor family, which includes the decrementor and the adder, and the threshold 
family, which includes such variants as the conjunction, the disjunction, the majority. 
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and the consensus. We first describe how to realize an incrementor, or more precisely, 
a near approximation of one. The adder can then be built from a number of incremen- 
tors. 

The incrementor presents an interesting challenge for several reasons. First, its cy- 
cle representation is large, comprising all 2" points of the Boolean cube. Second, even 
though the incrementor is a bijection, it cannot be realized (in full) by a reversible 
circuit because the corresponding permutation has odd parity [CG75]. Thus, at best, 
the incrementor can only be approximated by a reversible circuit. Even though the cy- 
cle representation is large, various approximations of the incrementor can be realized 
efficiently: our realization is of size and depth 0(n 2 ). 

4.1 Realization of Various Incrementors 

Since a full incrementor on B n is impossible [CG75], we begin by constructing a 
half-incrementor that performs a full increment on the subspace B„-\ and is repre- 
sented by two disjoint cycles of the form 

it = (0 1 . . . 2"~ l — l)(2 n-1 2"' 1 + 1 . . . 2” — 1). 

By concatenating this realization with another small circuit, we construct a nigh- 
incrementor, which corresponds to the permutation 

7t' = (01 . . . 2” -1 — 2), 

i.e., performs the operation z — > z + 1 mod 2" — 1 rather than mod 2". 

The half-incrementor can be realized via a sequence of &-Toffoli gates, where k = 
n - 2...0. Observe that an incrementor modifies the ith least significant bit of the 
input if and only if the conjunction of the i - 1 least significant bits of the input is 
equal to 1. Thus, the circuit comprises n - 1 components (A-Toffoli gates), where the 
/th gate is an (n - 1 - y)-Toffoli gate that negates line n - j and is controlled by the 
lines 1 ... /I - 2 - j; see Figure 3. 

The nth line of the circuit in Figure 3 is required in order to realize the (n - 2)- 
Toffoli gate. The line is used as a temporary register and retains its original value by 
the end of the computation of the (n - 2)-Toffoli gate. Via straightforward induction 
on n, it is easy to see that the circuit realizes permutation it. Since the realization of 
each &-Toffoli gate comprises 0(k) normal Toffoli gates (2-Toffoli gates) [BBD+95], 
the half incrementor may be realized in 0(n 2 ) gates. It follows that if we use an 
additional line, then a complete incrementor can be realized, otherwise, the best we 
can hope to realize is a nigh-incrementor. 
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Figure 3. A half-incrementor circuit. 



Figure 4- A nigh-incrementor circuit. 
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The nigh-incrementor is realized by concatenating an additional circuit onto the 
one that realizes a half-incrementor. Since the nigh-incrementor corresponds to the 
permutation Jt', let p = 7C — *7t / = (0 2" -1 2" — 1), and thus the circuit C k Cq = Crf, 
depicted in Figure 4, realizes the nigh-incrementor. By Corollary 6, the complexity of 
Cp is 0(n). Hence, the circuit complexity of the nigh-incrementor is also 0(n 2 ). The 
half-incrementor is also the basic component in the construction of the adder. 

In contrast to the incrementor, the adder requires no additional lines; this is because 
the adder corresponds to an even parity permutation. An adder that takes two n-bit in- 
puts, on 2n lines and outputs the result on the latter n lines, n + 1,...,2 n, and the first 
summand on the formers lines, 1 ,...,«. The adder comprises a sequence of n con- 
trolled half-incrementors; see Figure 5. The foh half-incrementor is controlled by line 
k, k £ [n], and increments the n - k most significant lines of the second summand, i.e., 
the increment is performed on lines n + k,...,2n. This follows from the observation, 
that adding 2 J to an n-bit value corresponds to performing an increment on the n - j 
most significant bits. The adder does exactly that, performing a controlled increment 
for each of the n bits of the first summand. Since each half-incrementor can be realized 
in 0(n 2 ) gates, the entire adder can be realized in 0(n 3 ) gates. 

Unfortunately, there seems little that can be done to reduce this bound. For ex- 
ample, implementing a ripple adder is difficult because each stage of the ripple adder 
loses information — the preceding carry — implying that in order for a ripple adder cir- 
cuit to work reversibly, all carry information needs to saved; we know of no way to 
accomplish this. 

Realization of Threshold Functions. Quantum computing is inher- 
ently a probabilistic model of computation. Therefore, threshold functions, including 
the consensus function, are themselves necessarily useful in quantum computing. Ex- 
cept for one case — a majority of an odd number of variables — none of the threshold 
functions have an n-embedding. However all threshold functions have ann+ 1 em- 
bedding, and in many cases an input-preserving one. The threshold functions that 
are easiest to realize are the consensus, conjunction, and disjunction functions on n 
variables. 
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Figure 6. A circuit. 
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The consensus function evaluates to 1 if and only if all n variables have the same 
value. In fact, this function has input-preserving (n + l)-embedding comprising two 
transpositions: (02") (2* — 1 2" +1 — 1). Thus, by Corollary 7, consensus has a con- 
cise realization of size 0{n). On the other hand, the conjunction function — as well 
as its dual, disjunction — do not have an input-preserving (n + 1 (-embedding because 
the embedding would be an odd parity permutation, comprising one transposition: 
(2" - 1 2" +1 - 1). However, there are many nearly input-preserving embeddings, like 
(12) (2" — 1 2 n+ - 1), whose complexity, by Corollary 7, is also 0(n). 

More complicated threshold functions can be realized by composing the X”=* (J) 
transpositions, (*A where |jc| > k and x' = 2” © jt; each transposition corresponds 
to a 1 in the threshold’s truth table. We assume that k > n/2 since computing the 
dual only requires an additional O(n) gates. This yields realizations of size O (d)n) 
for threshold function Tk,n, k > n/2, where n is the number of variables and k is the 
threshold. However, the resulting realization are not necessarily obvious. We present 
a recursive construction that yields realizations with the same asymptotic complexity, 
but with a more analyzable structure. 

A realization of threshold function Tk <n comprises two simpler threshold function 
realizations. The two components of a realization of Tk, n are a controlled realization 
of 7t_i l „_|, and a controlled realization of Tk >n -\', see Figure 6. 

If line n has value 1, then the circuit needs only to check that the weight of the 
remaining n - 1 lines is k - 1 or greater. The first controlled component, which realizes 
r*_ performs this function. Otherwise, if line n has value 0, the weight of the 
remaining n — 1 lines must be k or greater if the threshold is to be met. The second 
controlled component — a 7jt >n _ i that is controlled by the negation of line n — performs 
this task. Each of the components are realized in the same way; the base cases, T\ , m and 
are simply disjunctions and conjunctions over m variables, where 1 < m < n. 

The complexity ofthis construction, particularly for the majority function, is expo- 
nential in n. The recurrence relation R(k,n ) = R{k - 1 ,n - 1) + R(k,n - 1) describes 
the complexity of the construction — each of the two terms includes one of the two 
additional NOT gates. The boundary conditions are /?(1, m) = R(m,m ) = cm, where 
c is constant factor. Thus the complexity of the realization of Tk t n, is O(d)k). Not 
surprisingly, the complexity of the realization is the same for both constructions. The 
threshold function is a prime example characterizing the application of Corollaries 6 
and 7. Namely, that many Boolean functions have recursive realizations. The corol- 
laries are useful for creating realizations of the base cases, which are then composed 
to yield the entire realization. 

5. Techniques for Realizing Reversible Circuit 

Three repeatedly used mechanisms for realizing circuits are commutators, conju- 
gates, and “don’t cares”. The commutator of two circuits [Co,C,] = C 0 C T C- | C- 1 - 
assuming that permutations a and X do not commute — is a mechanism for combining 
two circuits, which are controlled by distinct sets of control lines, into one that is con- 
trolled by union of the control lines, e.g., Barenco et al. [BBD+95] used this approach 
to construct (n - 2)-Toffoli gates. 
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The conjugate of one circuit by another, CgC^C^, preserves the cycle structure 
realized by C T , but changes the points within the cycles. This mechanism is useful 
for massaging a circuit that does ‘almost the right thing’ into one that performs the 
required permutation. Conjugation was heavily used in the proof of the main result, 
particularly in the construction and transformation of 3-cycles. Conjugation decouples 
circuit structure from input representation, i.e., if the structure of the permutation that 
is realized by the circuit is correct, then the circuit can easily be adapted to work on 
the right set of inputs with a small amount of additional circuitry. 

An input-preserving realization of the conjunction function corresponds to a singe 
transposition — an odd parity permutation. Since an odd parity permutation cannot be 
realized by a circuit on four or more wires [CG75], an even permutation, comprising 
two transpositions, is used. The additional permutation affects two other points of 
the input but does not affect the output; namely, we sacrifice the input-preserving 
property to achieve the realization. In a sense we take advantage of the fact that we 
"don’t care” what the outputs of the input carrying lines is, provided that the line 
carrying the output value is correct. This approach is similar to the Karnaugh-maps 
method [Kar53], which is used for optimizing general combinational circuits. 

6. Discussion 

Reversible circuits are a concrete model of reversible computation that also satisfy 
the underpinnings of quantum computation; namely, quantum computation must be 
reversible. Since classical Boolean functions will necessarily comprise some building 
blocks of a quantum computer, determining how these functions can be reversibly 
realized is an important problem. We have shown that if a Boolean function/ can 
be embedded into a permutation O on an «-dimensional Boolean cube, such that the 
cycle representation of(J is of size ,v, then function/ can be realized by a reversible 
circuit of size 0(sn). Furthermore, we showed how these results can be applied by 
detailing realizations of several families of Boolean functions such as incrementors 
and threshold functions. 

One of the motivations of this work is quantum computation. One can ask how 
quantum circuits — which were introduced by Feynman [Fey86] and formalized by 
Deutch [Deu89] — compare to reversible circuit. In 1995, Barenco et al. [BBD+95] 
showed that quantum circuits can realize all permutations on an n-line circuit. Thus, 
not only are quantum circuits strictly more powerful than reversible circuits, they can 
also be more concise. However, the issue of whether quantum circuits are exponen- 
tially more powerful than reversible circuits remains open. Although, the famous 
factoring algorithm of Shor [Sho97], may indicate an affirmative answer, the result of 
Valiant's [ValOl] indicates that in many cases the answer is negative. Since quantum 
circuits can simulate reversible circuits with no overhead — the Toffoli and NOT gates 
are commonly included in the basic set of quantum gates [BBD+95] — the results in 
this paper are also applicable in the quantum setting. 

There is a useful analogy between our result and the fact that functions with heavily 
unbalanced truth tables have concise circuit realizations. Namely, if the ratio of Is to 
Os in the truth table is 0{2~ n n c ) or Cl(2 n n- ' c ) for some constant c, then the number of 
terms in the corresponding disjunction — and the number of transpositions realized by 
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the corresponding reversible circuit — is small. However, a function whose truth table 
is relatively balanced may also have a small realization. 

Unfortunately, if a Boolean function/ is nearly balanced and has an embedding 
whose cycle representation is exponentially large, there is no way to determine if / 
has a polynomial-size reversible circuit representation. For example, an n-line cir- 
cuit comprising a single NOT gate realizes a permutation whose cycle representation 
comprises 2"~ l disjoint transpositions! 

One possible approach is to partition the transpositions into equivalence classes 
based upon the behaviour of the transposition on a lower order Boolean cube. For 
example, a NOT gate on the first line of a circuit performs the permutation (01) on a 
one line circuit, (01)(23) on a two line circuit, and n*=o 2” — 1 (2/ 2 i+ 1) on an u-line 
circuit; all belong to the same equivalence class. Put another way, if a permutation 
can be projected onto a lower dimensional Boolean cube, and the sub-cube can be em- 
bedded into the original Boolean cube to yield the original permutation, then both the 
projection and original permutation belong to the same equivalence class. The com- 
plexity of realizing any element of the class is equal to the complexity of realizing the 
smallest element. In the example above, the NOT equivalence class has a complexity 
of 1, regardless of n. If a permutation can be factored into representatives of equiva- 
lence classes, then the complexity of realizing the permutation is simply the sum over 
the complexities of each of the representatives. 

Even this is insufficient, because the nigh-incrementor, has a cycle representation 
that comprises a single exponentially large cycle. Yet, as we have shown, the nigh- 
incrementor has a concise realization. Unlike in the preceding case, projecting the 
permutation onto a lower dimensional Boolean cube does not work. Factoring a per- 
mutation into representatives is itself a difficult problem. For example, the decomposi- 
tion of the nigh-incrementor into a 3-cycle and a half-incrementor is not at all obvious 
without a priori knowledge. 

Finally, we note that a reversible realization can easily be realized by an irreversible 
circuit whose size and depth is only a constant factor larger than the reversible re- 
alization. In essence, a bound on the reversible complexity of a Boolean function 
automatically yields a bound on the classical circuit complexity of the function; the 
converse, is not true [LV96, LTV98, BTV01], Thus, determining ifa Boolean function 
has a concise reversible circuit realization remains an open an challenging problem. In 
fact, a simpler question should be answered first: can the n-adic majority function be 
efficiently realized by an (n + c)-line reversible circuit, where c is a constant? Alterna- 
tively, either improving the realization of the half-incrementor or proving a quadratic 
lower bound would also be of great interest. 
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Abstract Revisiting the thirty years-old notions of resource-bounded immunity and sim- 
plicity, we investigate the structural characteristics of various immunity notions: 
strong immunity, almost immunity, and hyperimmunity as well as their corre- 
sponding simplicity notions. We also study fc-immunity and fc-simplicity and 
their extensions: feasible fc-immunity and feasible fc-simplicity. Finally, we pro- 
pose the fc-immune hypothesis as a working hypothesis that ensures the exis- 
tence of simple sets in NP. 
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1. Foundations of Immunity and Simplicity 

The original notions of immunity and simplicity date back to mid 1940s. Post 
[17] first constructed a simple set for the class of recursively enumerable sets. The 
new breed of resource-bounded immunity and simplicity waited to be introduced un- 
til mid 1970s by an early work of Flajolet and Steyaert [5], In their seminal paper, 
Flajolet and Steyaert constructed various recursive sets that, for instance, have no infi- 
nite DTIME(t(n))-subsets under the term “DTIME(<(n))-immune sets." Later, Ko 
and Moore [11] studied the polynomial-time bounded immunity, which is now prefer- 
ably called P-immune sets. Subsequently, Balcazar and Schoning [2] considered P- 
bi-immune sets, which are P-immune sets whose complements are also P-immune. 
Flomer and Maass [8] extensively discussed the cousin of P-immune sets, known as 
NP-simple sets. The importance of these notions was widely recognized in 1980s. 
Since these notions can be easily expanded to any complexity class C, we begin with 
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an introduction of the general notions of C-immune sets, C-bi-immune sets, and C- 
simple sets. These notions are further expanded in various manners in later sections. 

Definition 1 Let c be any complexity class of languages over alphabet E. 

1 A set S is C-immune ifS is infinite and there is no infinite subset ofS in C. 

2 A set S is C-bi-immune ifS and Sare both C-immune. 

3 A set S /.vC-simple if S belongs to C and S is C-immune. 

Note that the existence ofaC-simple set immediately implies C f co-C; however, 
the separation C f co-C does not necessarily guarantee the existence of C-simple sets. 

Throughout this paper, we set our alphabet E to be {0,1}. Let N (or w) denote 
the set of all nonnegative integers and set N + = N — {0}. All logarithms are taken 
to base 2 and a polynomial means a multivariate polynomial with integer coefficients. 
We assume a standard bijection from E <u ' to E* that is polynomial-time computable 
and polynomial-time invertible, where E <w is the set of all finite sequences of strings 
over E. This bijection enables us toidentify E <u; with E*. We use multi-tape off-line 
Turing machines ( TMs , in short) as a model of computation. Assumed is the reader’s 
familiarity with basic complexity classes, such as P, NP, E (linear exponential time), 
and EXP (polynomial exponential time). This paper focuses mostly on the complexity 
classes lying in the polynomial-time hierarchy 1 {AE.E^nHfceN} [12]. 

We mainly use “partial” functions and all functions are presumed to be single- 
valued. Since total functions are also partial functions, we will define function classes 
as collections of partial functions and, whenever we need total functions, we will 
explicitly indicate the totality of functions. Now, fix k G N + . The notation FA£ 
denotes the collection of all single-valued partial functions / such that there exist 
a set B e j and a polynomial-time deterministic oracle TM M satisfying the 
following condition: for every x, if x G dom(/) then M B (x) halts in an accepting 
state and outputs f(x) and otherwise, M B (x) halts in a rejecting state (in this case, 
f(x) is undefined). In particular, write FP for FAj\ 

A set A is called A B -m-reducible to another set B via a reduction / if / is a total 
FAfc-function from E* to E* and A = {x | f(x) G B }. If in addition / is honest 2 , 
then we say that A is h-A^-m-reducible to B. Moreover, a set A is A£ -tt-reducible to 
B via a reduction triplet (i/, /, a) if(i) u is a total FA^-functionfrom E* to { 0 } * ,(ii ) / 
is a total FAjj -function from E* to E* such that, for every x, f(x) — (y\ , y^, . . . , yf) 
for certain strings yj, y 2 , ■ ■ ■ ,yk, where k — |i^(a;)|, (iii) a is a total FA£ -function 
fromE*xE*to {0,1} such that A = {a; | a(x, B(f(x))) — 1}, where B(/(a:))isan 
abbreviation of the fc-bit string B(yi)B(yf) ■ • ■ B(yf) when f(x) = (yt,..., yk )■ If 
in addition / is componentwise honest 3 , then A is h-A% -tt-reducible to B. The notion 
of completeness can be induced from its corresponding reducibility. 



'The polynomial-time hierarchy consists of the classes defined in the following fashion: Aq = Sq = 

n o = P. SLi - NP 5 *, andn£ +1 = co-£P +1 for any number fc g N. 

2 A partial function / from E* to E* ispolynomially honest (honest, for short) if there exists a polynomial 
p such that 1*1 < p(!/(*)I) for all strings x € dom(/). 

3 A partial function from E’ to E <w (which is identified with E’ ) is componentwise honest if there exists 
a polynomial p such that, for every x £ dom(/), |x| < p( |j/i |) for all i £ {1,2,..., fc}, provided that 
/(*) = (V!,V2,...,Vk). 
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It is well-known that P-immune sets exist even in the class E. In particular, Ko 
and Moore [11] constructed a P-immune set that is also P-tt-complete for E. Note 
that no h-P-m-complete set for NP can be P-immune since the image of a P-immune 
set by a polynomial-time computable reduction is either finite or P-immune. Using a 
relativization technique, Bennett and Gill [3] showed that a P-immune set exists in NP 
relative to a random oracle with probability 1 . A recursive oracle relative to which NP 
contains P-immune sets was later constructed by Homer and Maass [8], Torenvliet and 
van Ernde Boas [22] strengthened their results by demonstrating a relativized world 
where NP has a P-immune set which is also NP-simple. 

The notion of C-immunity is closely related to various other notions, which in- 
clude complexity cores [13] and instance complexity [15]. We can naturally expand 
these characterizations to more general E£ -immune and -immune sets. Balcazar 
and Schoning [2] also built a bridge between P-bi-immune sets and finite-to-one re- 
ductions. Expanding their argument, we give in Lemma 2 a characterization of C-bi- 
immunity as well as C-immunity. 

For any partial function / from E* to E*, the set Graph(f) = {(x,f(x)) | x £ 
dom(/)} is called the graph of /. Let EqSV = FP and let E^SV denote the class 
of all single- valued partial functions / such that / is polynomially bounded 4 and 
Graph(f) is in E£. For brevity, we write NPSV for EfSV. For any A: € N and 
any A,B C E*, a single-valued partial function /from E* to E* is called a E£- 
m-quasireduction ( A p -m-quasireduction , resp.) from A to B if (i) f is in E^SV 
(FA£ , resp.), (ii) dom(/) is infinite, and (iii) for any string X £ dom(/), x £ A iff 
/(*) € B. For any string u £ E*, the inverse image f _I («) of / at it is the set 
{a; £ dom(/) | f(x) = u}. Notice that / _1 (tt) = 0 if u & ran(/). 

Lemma 2 Let C £ {AlZ p k \k£N} and S C E*. 

1 S is C-immune if and only if (i) S is infinite and (ii)for every set B, every 
C-m-quasireduction ffrom S to B, and every u in B, f~ l (u) is finite. 

2 S is C-bi-immune if and only if (i) S is infinite and (ii)for every set B, every 

C-m-quasireduction ffrom S to B, and every u in E”, is finite. 

The characterization given in Lemma 2(2) led Balcazar and Schoning [2] to in- 
troduce a stronger notion of P-bi-immunity: strong P-bi-immunity. A more general 
notion, called strong C-immunity, will be introduced in Section 2. 

Whether an NP-simple set exists is one of the long-standing open problems because 
such a set separates NP from co-NP. Nonetheless, NP-simple sets are known to exist 
in various relativized worlds. In early 1980s, Homer and Maass [8] and Balcazar [1] 
constructed relativized worlds where an NP-simple set exists. Later, Vereshchagin 
[24] proved that, relative to a random oracle, an NP-simple set exists with probability 
1. From Theorem 9 in Section 2, for instance, it immediately follows that an NP- 
simple set exists relative to a generic oracle. Torenvliet [21] built an oracle relative 
to which a E^ -simple set exists. For a much higher level k of the polynomial-time 



4 A partial function / from E’ to £* is polynomially bounded if there exists apolynomial p such that 

|/(at)| < p(|x|)forany string x 6 dom(/). 
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hierarchy. Bruschi [4] constructed an oracle relative to which E£ -simple sets exist 
using the size lower bounds of certain nonuniform constant-depth circuits. 

In the rest of this section, we focus on closure properties of the class of all E£- 
immune sets because no such closure property has been systematically studied in the 
literature. A complexity class C is said to be closed downward under a reduction < r 
on infinite sets if, for any pair of infinite sets A and B, A < r B and B £ C imply 
A e C. Here, we study three reducibilities. Let k € N. A set A is A^-d-reducible 
to B via / if/ is a total FA^-function from E* to E <w (which is identified with E’) 
and A = {x | B D set(f(x)) / 0}, where set((yi, S/ 2 , • • • > Vm)) - {2/i,J/_ 2, • • • ,2/m}- 
By contrast, A is A %-c-reducible to B via / if A is Aj^-d- reducible to B via /. For 
any fixed i e N + , A is A^-itt-reducible to B via (/, a) if A is A^-tt-reducible to B 
via (i/, f, a), where u(x) = O' for any x. Forany reductibility r using computation C, 
we say that A is h-C-r-reducible to B if A is C-r-reducible to B via / (or (/, a))such 
that / is componentwise honest. 

Now, we claim that the class of all E^-immune sets is closed downward under 
h-A^-C-reductions on infinite sets; however, we cannot replace this conjunctive re- 
ducibility by disjunctive reducibility . 

Theorem 3 Let k e N + . 

1 The class of all T^-immune sets is closed downward under h-A^-C-reductions 
on infinite sets. 

2 The class of all NP -immune sets is not closed under h-P-d-reductions or h- P- 
2tt-reductions on infinite sets. 

The first claim of Theorem 3 is easy and is shown as follows. Assume that an 
infinite set A is h-Aj^ -C-reducible to a EP- immune set B via a componentwise-honest 
reduction /. If A contains an infinite E^ -subset C, then consider the set D = {y | 
3i € C[|a;1 < p(|y|) Aye set(/(x))j}, where p is a polynomial such that |x| < 
p(\y\) for all x and all y € set(f(x)). Clearly, D is an infinite E^-subset of B, a 
contradiction. Therefore, A is E^-immune. 

How complex are E^-simplc sets? Intuitively, C-simple sets are “thin" and thus 
cannot be “complete” for the class C. As an immediate consequence of Theorem 3(1), 
we obtain the following corollary. 

Corollary 4 Let k e N + . No E £ -simple set is h-A^-d-complete for E£. 

Recently, Agrawal (cited in [19]) showed, using the NP-levelability of SAT (as- 
suming SAT 0 P), that no NP-simple set is h-P-btt-complete for NP, where SAT 
is the set of all satisfiable quantifier-free Boolean formulas. His argument will be 
generalized in Section 4 in connection to C-hyperimmune sets. 

2. Strong Immunity and Strong Simplicity 

Following the introduction of P-bi-immunity, Balcazar and Schoning [2] stepped 
forward to introduce the notion of strongly P-bi-immunity, which comes from the 
quasireducibility-characterization of P-bi-immunity given in Lemma 2(2). While P- 
bi-immunity requires its quasireductions to be finite-to-one, strong P-bi-immunity re- 
quires the quasireductions to be almost one-to-one, where a quasireduction / is called 
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almost one-to-one on a set S if the collision set {(x,y) € (dom(/) 0 S) 2 | x < 
V A f(x) = f{y)} is finite. Such strongly P-bi-immune sets are known to exist even 
in the class E [2], 

Generalizing the notion of P-bi-immunity, we can introduce strong C-bi-immunity 
for any complexity class C lying in the polynomial-time hierarchy. Moreover, we 
newly introduce the notions of strong C-immunity and strong C-simplicity. Recall that 
E£ -m-quasireductions are all single-valued functions in E^SV for each k € N + . 

Definition 5 Let C € {A£,E£!fceN}. 

1 A set S is strongly C-immune if(i) S is infinite and (ii)for every set B and 
every C-m-quasireduction ffrom S to B, f is almost one-to-one on S. 

2 A set S is strongly C-bi-immune if S and S are both strongly C-immune. 

3 A set S is strongly C-simple if S is in C and S is strongly C-immune. 

In particular, when C = P, Definition 5(2) coincides with the notion of P-bi- 
immunity originally given in [2], 

LEMMA 6 For any complexity class C € {A£,E£ I k 6 N}, every strongly C- 

immune set is C-immune and every strongly C-simple set is C-simple. 

A major difference between C-immunity and strong C-immunity is shown in the 
following example. For any NP-immune set A, the disjoint union 5 A® A is also NP- 
immune; on the contrary, it is not strongly NP-immune because A® A can be reduced 
to A by the almost two-to-one function / defined as /(A) = A and f(xb) = x for b € 
{0,1}, where A is the empty string. Therefore, the class of all strongly NP-immune 
sets is not closed under the disjoint-union operator. Historically, using the structural 
difference between these two notions, Balcazar and Schoning [2] constructed a set in 
E which is P-bi-immune but not strongly P-bi-immune. 

We show a closure property ofthe class of strongly E^ -immune sets. If A is -m- 
reducible to B via a one-to-one honest reduction /, we say that A is h-A^- 1 -reducible 
to B via /. 

Proposition 7 Let k e N + . 

1 The class of all strongly E^ -immune sets is closed downward under h- Al-1- 
reductions on infinite sets. 

2 The class of all strongly NP-immune sets is not closed downward under h- P- 
m-reductions on infinite sets. 

Corollary 8 For each level k G N + , there is no strongly -simple set that is 

h-A% -1 -complete for E£. 

Finally, we turn our interest to relativization. For each k € N + , it is easy to show 
that a strongly E^ -simple set exists relative to a recursive oracle (similar to Proposition 



5 The disjoint union of A and B is the set {Ox | x G A} U {lx | x £ 0}. 
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26). Even relative to a random oracle, there exists a strongly NP-simple set with 
probability 1 (similar to Proposition 27). Employing weak forcing, we now prove the 
following relativization result. 

Theorem 9 A strongly NP G -simple set exists relative to a generic oracle G. 

3. Almost Immunity and Almost Simplicity 

We have shown in the previous section that strong C-immunity and its simplicity 
strengthen the ordinary notion of C-immunity and C-simplicity. In contrast to these 
notions, Orponen [14] and Orponen. Russo, and Schoning [16] expanded P-immunity 
to the new notion of almost P-immunity. The complementary notion of almost P- 
immunity under the term P-levelability (a more general term “levelable sets” was first 
used by Ko [10] in a resource-bounded setting) was extensively discussed by Orponen 
et al. [16]. Naturally, we can generalize these notions to almost C-immunity and C- 
levelability for any complexity class C. Furthermore, we newly introduce the notion 
of almost C-bi-immunity and almost C-simplicity. 

Definition 10 Let C be any complexity class. 

1 A set S is almost C-immune if S is the union of a C-immune set and a set in C. 

2 An infinite set is C-levelable if it is not almost C-immune. 

3 A set S is almost C-bi-immune ifS and S are both almost C-immune. 

4 A set S is almost C-simple ifS is an infinite set in C and S is the union of a set 
A in C and a C-immune set B, where the difference B\A is infinite. 

It follows from Definition 10(1) that every almost C-immune set is infinite since 
so is every C-immune set. The definition of almost C-simplicity in Definition 10(4) is 
slightly different from other simplicity definitions because the infinity condition of the 
difference B\A is necessary to guarantee C ^ co-C, provided that an almost C-simple 
set exists. 

LEMMA 1 1 Let C be any complexity class closed under finite variations, finite union 
and finite intersection. If an almost C-simple set exists, thenC / co-C. 

Lemma 1 1 is shown as follows. Take any set S such that S = A U B for a set 
A E C and a C-immune set B. Suppose C = co-C. Note that B \ A C B and 
B\A = S\ AeC. Since B is C-immune, B \ A must be finite. 

The following lemma is immediate from Definition 10. 

Lemma 12 For any complexity class C, every C-immune set is almost C-immune 
and every C-simple set is almost C-simple. 

Several characterizations of almost P-immunity and P-levelability are shown in 
[16] in terms of maximal P-subsets and P-to-finite reductions. We can naturally ex- 
pand these characterizations to almost -immunity and A^-levelability (but not to 
the E-level classes of the polynomial-time hierarchy). 




